September 30, 2019
Over the last few months, Noris Ismail, Managing Director, Data Privacy, Ankura has been meeting clients and fellow data professionals all over the APAC region as well as attending industry roundtables. Here he shares his observations on the current trends, key challenges and opportunities facing businesses and regulators in the region.
GDPR IS A HOT TOPIC IN ASIA
Data professionals have long understood that the GDPR’s reach extends well beyond its European origins. However, its global influence is growing even further as Asia authorities review their national regulation and decide which GDPR-inspired principles and provisions to embed within it.
This process is already well underway with, for example, the Singapore government proposing additional measures to bring its Personal Data Protection Act (PDPA) more in line with the GDPR. This trend appears not only to be accelerating but also widening in scope across the region, with more countries within Asia looking to review, align and implement new measures around data privacy.
Why is this happening? It’s no coincidence that countries such as Singapore, home to the Asia HQs of many multinational businesses, are leading the charge. Such companies are feeling the tension between local, regional and global practices as they do business in Asia and across the world. They need clarity and are turning to local regulators for guidance. Their questions may range from how GDPR applies to them in context of their Asia activities or what to do if a data breach happens in Asia but also affects EU subjects’ data? The latter question is currently not easy to answer, with national and regional variations on everything from the requirement to report the data breach to how to address it, prevent against further incident and who to notify. The need to find answers is driving the agenda for regulatory review.
CHERRY PICKING IS BLOSSOMING
As pressure mounts on APAC countries to review their regulations in line with global developments, many are starting to ‘cherry pick’ from GDPR. This is also true, to some extent, of global organisations which, faced with the need to satisfy national, regional and EU regulators when processing and transferring data, are adopting elements of the GDPR into their compliance framework.
The issue here is contextualisation and, for regulators, there is a need to take a more proactive approach in order to stay ahead of and adapt to a constantly changing business, as well as regulatory, world. So, for example, Thailand has passed a law that focuses on the protection of local data, yet the risk is that it provides a false sense of security to companies which, by complying with it, feel safe from regulatory breach. This confidence may be misplaced, however, as the evolution of advanced technologies such as cloud infrastructure, AI, machine learning and AdTech present not only new opportunities but also challenges. That’s because the global data flows that power these technologies are regulated by national laws, which focuses purely on local data subjects, an inadequate protection. No wonder then, that some international companies are taking matters into their own hand by adopting GDPR compliance in their data processes.
Indonesia is in the process of finalising local legislation which is reported to be 50%-60% aligned with GDPR, yet with localisation rules that means if you want to transfer local data beyond national borders then specific authorisation needs to be sought and applied [from who? data subjects or the local governments?]. Add to this mosaic that the Reserve Bank of India requires all unusual cyber-incidents to be reported by banks within two to six hours, and China’s own complex data transfer laws, then GDPR-like consistency across the APAC seems a long way off.
On a more positive note, by aligning their own regulation more closely with the GDPR, APAC countries are very much on the right road, even though there will be twists and turns along the way. How these new regulations are operationalised and enforced is another key challenge for authorities and a major area of uncertainty for business. The availability of data privacy and cyber security skills is also a key factor.
THE CRUCIAL THREE Cs: CO-ORDINATION, CONSISTENCY AND CO-OPERATION
It’s clear from the above that, with data so vital to global commerce and communication, national and local regulators must work together to assure its efficient and compliant passage between jurisdictions. Doing so will mean taking a co-ordinated and co-operative approach to data privacy.
Governments and their supervisory authorities are making good progress in this respect. For example, Singapore’s Personal Data Protection Commission have signed a memorandum of understanding over intelligence sharing with the UK’s Information Commissioner’s Office (ICO). The arrangement was closely followed by a similar one between the ICO and Hong Kong authorities. This reflects the high number of global organisations investing and operating within these territories, which provides a strong motivation for regulators to work collaboratively on data privacy regulation.
However, national challenges can still get in the way. For example, Section 33 of the Personal Data (Privacy) Ordinance (PDPO), which deals with the transfer of personal data outside Hong Kong, is yet to come into force. This is of concern to international organisations, who fear that uncertainty over implementation adds risk to their activities.
Putting that specific example aside, the overall trend is very much positive, with other countries in the region such as Indonesia, Malaysia, Thailand, Vietnam and Cambodia actively sharing data and intelligence or planning to do so in the future. The underlying reality may be even more positive because regulators often prefer to develop their plans quietly until the fundamental structures are in place. So, although not yet visible, progress in achieving greater harmonisation across the region may be further advanced than we currently grasp.
The Association of Southeast Asian Nations (ASEAN) may be a key player in this respect. As the regional intergovernmental organisation comprising ten countries in Southeast Asia, it represents the third or fourth largest trading group in world and ranks even higher if we focus solely on trade with the EU. Its shared interest in advancing work in e-Commerce and innovation make it a powerful ally for those looking to increase co-ordination and co-operation in data privacy matters across the region. Having said that, those expecting an EU-style system are likely to be disappointed. Harmonisation, driven by the region’s common appetite to drive digital growth, is likely to be the ultimate outcome rather than the cross-European single set of rules seen with the GDPR.
CYBER SECURITY HITS THE HEADLINES
Recent headlines are driving cyber security higher up the agenda for corporates and regulators alike. Again, a lack of consistency between countries and regions is creating issues. One good example was a recent major breach in Hong Kong. As you probably know, there is currently no mandatory requirement to notify authorities or data subjects about data breaches in Hong Kong. However, in this case, the seriousness of the breach, high levels of media attention and the reaction of customers meant that regulators did take action, issuing corrective guidance to improve security systems. An audit of the organisation uncovered bad governance and poor policies in place.
This illustrates two connected points. Firstly, that organisations must look beyond local regulation in order to protect their reputation and optimise vital processes. Secondly, that even if regulators are largely reactive – as they have tended to be in Asia so far – organisations themselves must be proactive, looking for the best data privacy model for their business, rather than merely satisfying minimum levels of compliance.
MAKING INTEROPERABILTY OPERATIONAL
The ability to transfer information across country borders is challenging when privacy laws differ from country to country. There are several ways to overcome this, including binding corporate rules (BCRs), but Asia has generally championed the APEC Cross Border Privacy Rules (CBPR) System. This helps bridge differences by providing a single framework for the exchange of personal information. Participating countries within APAC include Singapore, South Korea, Chinese Taipei and Japan. The pros and cons of different data transfer arrangements are outside the scope of this article; however, it did seem clear from my conversations that many organisations had work to do in order to meet the certification standards that CBPR requires. Signing up to CBPR is the start of the journey, not the end.
CLEANING UP FOR THE WHITE LIST
When a non-EU country’s domestic laws or international commitments are judged sufficient to ensure an adequate level of personal-data protection, an exemption is granted. Or, in simple terms, they are put on the GDPR White List. Japan was awarded this status in early 2019 and is so far the only country in Asia to achieve such status, although South Korea is currently working towards this goal.
While the White List offers huge potential benefits in terms of being able to transfer data more smoothly, the reality is that many organisations within Japan have some way to go before enjoying them. It is estimated that less than 10% are ready to ‘walk the talk’ in terms of living up to the specific demands of White List status. The easy way to explains the disjunct is that being on the White List does not make you ‘exempt’ from GDPR, it means you should meet its requirements, or at least reach very near equivalence. This view is supported by the fact that South Korea, a very dynamic landscape in terms of data privacy and with some of the strictest regulation going, is inching rather than striding towards approval. Other countries within Asia which see this is as a path to harmonisation may find it more difficult still.
A final word on the data privacy models that international companies are using to navigate the differing compliance and business issues they face in Asia. I cover this area in more detail in a previous article so will limit myself to one observation: that some multinationals with a relatively mature data privacy programme are deploying a decentralised model. This means that technical, security and governance aspects of data privacy are operationalised on a country by country basis. As such, they are driven by the risk landscape of each region or jurisdiction in which they operate. While this has advantages in terms of responsiveness to local markets and minimising compliance processes, it does risk a lack of continued alignment and consistency. It’s a model that would not suit more centralised organisations with a more standardised product or service.
It also adds a nuance to the idea of being proactive or reactive. Should companies be responding to the regulatory regime within each country or setting their own gold standard for data privacy and sticking to it, even if it exceeds local compliance needs? In a world where trust is a key issue for consumers and citizens, perhaps being proactive is both the way ahead for regulators and the best route to commercial success for corporates.