If you didn’t already know, the last week of April was global Privacy Awareness Week.
Quite a few corporate counsel are going to have to plan for major Asia Pacific regulatory developments in data protection and privacy laws that will come into effect in early 2014.
Australia: Australia’s privacy laws have been given a major overhaul with new uniform laws applying to both the public and private sector, particular emphasis on credit ratings data handling, direct marketing, dealing with unsolicited person information collection, overseas data transfer and will give the Privacy Commissioner more regulatory teeth for enforcement including new civil penalties from March 2014. So, privacy officers and advisors will be working overtime later this year and early 2014 to get ready.
China: Nothing new for 2013 but the PRC Congress enacted the Decision on Strengthening Internet Information Protection (全国人大常委会关于加强网络信息保护的决定) just before the end of 2012 (28 Dec to be exact). Whilst it will rely on lower level implementation regulations, it does provide a binding draft framework for data collection, use and management of PRC citizen’s electronic personal information. The authorities clearly wanted to tackle spam and identity issues by specifically embedding an express anti-spam and true identity validation provisions into the Decision, so marketing and web user registration practices need to be revisited. Draft rules were only released for public comment this month, so the conservative approach for corporates would be to adopt best practice principles.
Hong Kong: No new developments in the pipeline for 2013 as the HK government backs down on changes to remove access to company director residential information currently on the public record in the local Companies Registry. Local HK companies are also just coming to grips with major new direct marketing provisions of the Personal Data (Privacy) (Amendment) Ordinance 2012 which kicked in last month.
Malaysia: The commencement of Malaysia’s Personal Data Protection Act 2010 is still hitting speed humps with the anticipated 1 Jan 2013 start aborted but there is an expectation that it will come into force sometime this year once it is formally gazetted.
New Zealand: Nothing new but last December, NZ’s Privacy Act was given the big tick by the European Commission as sufficiently consistent with European privacy law for the purposes of compliance with EU Directive 95/46/EC.
Philippines: The Philippines’ Data Privacy Act of 2012 commenced last year in September and is a robustly structured privacy regime (statutory and indemnity rights to data subjects, data breach notification obligations!, etc.) with stiff sanctions compared to other Asian jurisdictions. However it is largely focused on the processing of data subjects that are Philippines citizens and residents. Has anyone seen the long awaited implementation rules?
Singapore: The island state has implemented a new data privacy specific legislative regime which commenced on 1 January 2013 (unlike Malaysia) but is in a gradual transition period until becoming fully operational in April 2014.
Taiwan: Taiwan was another jurisdiction which delayed commencement of a privacy legislative overhaul. The Personal Data Protection Act (個人資料保護法) finally took effect from October 2012 last year.
Getting on top of regional data privacy compliance is becoming increasing important not only for the traditional multinational corporation but is just as important for all emerging startups that inevitably rely on online users or customers from multiple jurisdictions and third party providers at the back-end to host or process this personal information. The building momentum of commercial cloud computing projects is going to bring privacy compliance to the forefront.
No doubt many of the big multinational data processors and data miners have been reviewing the new privacy law developments across APAC jurisdictions with one eye to see if the current forum shopping and compliance arbitrage structures are still intact. The other eye will be fixed on potentially bigger compliance analysis with the much anticipated EU data protection developments potentially in the pipeline for 2014 to see what future proofing for possible cross-border compliance adjustments can be addressed now. One thing is for sure, data privacy as a strand of corporate governance and risk management is here to stay (and in this digital consumerism and social media era, the compliance bar is only going to get higher…)
More on the privacy laws in each jurisdiction in more detail in a later series of posts…stay tuned…
