If you have business operations in Asia, you will be confronted with a patchwork of data transfer laws.
The Asian Business Law Institute (ABLI) has published a summary of data transfer laws across 14 Asian jurisdictions.
Spurred by the EU’s GDPR and other global reforms, many of these laws are being revised. The ABLI sets out the known changes and will be periodically updated.
Three different approaches to allowing data transfers
1. Consent-first data regimes
Consent-first regimes such as Japan and South Korea do not place explicit restrictions on the countries to which data can be transferred with customer consent.
2. Accountability regimes
These regimes such as Australia and the Philippines allow export of data to another country provided that the exporter continues to bear responsibility for the use of the data in that other country.
3. Adequacy-first data regimes
The most common approach, used in Singapore, Macau, Malaysia and Thailand, permits cross-border data transfers to countries where the recipient organisation has adequate data protection standards.
Some regimes are hybrid models. Hong Kong allows data transfers without consent to ‘white list’ countries (which the Government considers to have adequate protections) or to other jurisdictions with the customer’s consent. But in other jurisdictions, rather than being alternatives, ‘consent’ and ‘adequacy’ are cumulative requirements, such as India and Indonesia.
What are requirements for consent?
Most Asian jurisdictions require consent to be ‘freely given’ and ‘explicit’, which usually means that the possibility of the export of data to a foreign jurisdiction has to be identified.
However, rules differ over how the customer has to be told. In Australia and Thailand, the exporting organisation needs to inform individuals if the recipient country does not offer comparable data protection.
But in Japan, the customer has to be provided with all the information needed to make a decision about whether to agree to the transfer, including the destination country and how the data will be treated. Singapore requires a summary, in writing, of the protections in the jurisdiction to which the data is exported.
Can you self-assess?
In Australia, the APPs are waived where the data exporter reasonably believes that the recipient has a “law, or binding scheme…substantially similar to the way in which the APPs protect the information” supported by enforcement mechanisms.
But in Hong Kong, India and Japan, the relevant government agency makes the decision about whether the recipient jurisdiction has a comparable level of privacy protection. Other jurisdictions are unclear about who decides comparability, such as Thailand and Indonesia. New Zealand’s new law will introduce self-assessment.
Can you outsource data storage or processing?
Outsourcing, such as to cloud providers, can be achieved across most Asian jurisdictions:
- Japan and soon South Korea explicitly waive the requirement for customer consent for data transfers to outsource providers. Malaysia treats transfer to an agent as if it is disclosure within the same entity; and
- 10 jurisdictions will accept contractual safeguards between the data exporter and the recipient as providing adequate protection (for example, Australia, Hong Kong, Japan, Malaysia, New Zealand, Singapore and South Korea).
Singapore imposes an express obligation on a business using a cloud service to ensure that the cloud service provider, wherever located, ensures that Singaporean data protection requirements are met. A foreign cloud service provider which hosts data outside Singapore also can get certified in Singapore, making life easier for businesses using its services.
Beware of data localisation measures mandating that companies store and/or process personal data generated within country: Indonesia, PRC and India.
What about Intragroup transfers?
Most Asian data protection laws also recognise intra-group rules (called Binding Corporate Rules or BCR) as the basis of ‘adequacy’ - Australia, Hong Kong, Japan, New Zealand, Singapore, Thailand and India. BCRs are implied in Macau and Malaysia. South Korea and Vietnam do not recognise BCRs.
Bringing some order to this chaos
There are regional efforts underway to mitigate the impact of local law differences on data transfer. Countries which are party to APEC Cross-Border Privacy scheme can have their data protection practices assessed as compliant by an APEC-recognised Accountability Agent, which will then ease transfers to those jurisdictions. Japan, Singapore and South Korea have gone through this process – Australia is a party to the arrangement but has not yet been certified.