The EU GDPR’s impact on ASEAN data protection law
September 2019 | PROFESSIONAL INSIGHT | DATA PRIVACY
Financier Worldwide Magazine
September 2019 Issue
Technology and the rise of the digital economy has transformed our lives for the better in many ways. However, data breaches and data security threats loom over us. The incident involving Cambridge Analytica in 2018 – where millions of Facebook users’ data were obtained without proper permission – underscores the risks associated with freely sharing personal data digitally, and the need to have robust laws and practices to protect personal data and privacy.
Facebook was fined $5bn by the US Fair Trade Commission (FTC) for the breach. The FTC also fined Equifax $700m in individual compensation and civil penalties as a result of the 2017 Equifax data breach, which compromised 147 million Americans’ credit data. The FTC wants business entities to have greater accountability in protecting personal data, as FTC chairman Joe Simons said in a statement: “Companies that profit from personal information have an extra responsibility to protect and secure that data”.
Hopefully, the FTC’s recent rulings will spur data regulators around the world to take a similar position. Countries should be incentivised to implement comprehensive data protection laws to keep up with modern technology because the threat of data breaches and data security will become more sophisticated and complex. So far the headlines have emanated from the US and Europe.
But the Association of Southeast Asian Nations (ASEAN) is catching up, although the development of data protection regulation in ASEAN has so far been uneven. Until recently, Singapore, Malaysia and the Philippines were the only countries with personal data protection laws. The latest country in ASEAN to enact data protection laws is Thailand, with the parliament passing the Personal Data Protection Act in early 2019. Indonesia has been mulling over a general data protection law and had a draft legislation which has yet to make its way through the legislative process. The remaining countries in ASEAN do not have overarching regulatory frameworks for data protection. However, there are laws in specific sectors or for electronic media that regulate personal data.
Data breach notifications
Data protection laws in ASEAN countries impose security obligations on data processers to protect personal data. Unfortunately, not all ASEAN countries impose a mandatory requirement to inform authorities and data subjects of any data breaches. This is the current position in Malaysia.
In Singapore, organisations are advised to notify the Personal Data Protection Commission (PDPC) of data breaches that might cause public concern or harm a group of individuals. The PDPC has indicated its intention to introduce a mandatory data breach notification regime as part of proposed amendments to their Personal Data Protection Act.
In the Philippines, the regulator is to be informed within 72 hours upon knowledge of, or when there is reasonable belief that a personal data breach has occurred. Affected data subjects must also be notified within 72 hours of the breach.
In Thailand, a data controller must notify the Office of Personal Data Protection Commission within 72 hours of a data breach that might affect personal rights and freedom after its awareness of the same. The data controller must also notify the data subject of a data breach that poses a high risk of affecting personal rights and freedom.
In Indonesia, there are no requirements to notify the authority of data breaches. However, the electronic system provider must inform the data owner in written or electronic form within 14 days of the breach, along with reasons for the breach.
The EU GDPR and its effects
The coming into force of the European Union’s General Data Protection Regulations (GDPR) in May 2018 introduced higher standards, stricter laws and tougher sanctions in the EU with extraterritorial application. For example, the GDPR has stricter measures than the personal data protection laws in ASEAN countries for requesting and providing consent. The GDPR regulates the usage of data of its citizens by companies in terms of data, privacy, security and transparency, not only in its region, but also companies or organisations worldwide that process or hold the data of EU residents.
As ASEAN trades heavily with Europe, it is becoming important for businesses to comply with EU regulations. Because of the GDPR, many ASEAN countries are reviewing their own data protection laws and may develop a similar regulatory framework to protect their citizens and enable local businesses to operate globally through some sort of comity in regulatory approach. The next section will provide some insight on how some ASEAN countries are adapting to the GDPR.
Malaysia is in the midst of reviewing its Personal Data Protection Act 2010 (PDPA) to ensure that it is streamlined with the GDPR. The minister of the communications and multimedia ministry, which is the ministry charged with responsibility for the protection of personal data, has said that one of the objectives of the review of the PDPA is to streamline international requirements on personal data protection, including the many key takeaways of the GDPR. According to the minister, “Malaysia has the PDPA which was formulated in 2010, but after nine years, there are so many new developments and it is important for the existing law to be amended to ensure that we are up-to-date with the current developments”. A timeframe has not been set on when the PDPA will be amended. The review of the PDPA began in 2018 and is ongoing.
Singapore’s Personal Data Protection Act 2012 (PDPA) shares many GDPR principles, in that they both require customer consent for all communications regarding data collection, data processing or disclosure of data. As part of an ongoing review, a discussion paper was issued to introduce the right to data portability, which gives users greater control over the movement of their information across service providers. More recently, Singapore has appointed the Infocomm Media Development Authority (IMDA) as its accountability agent.
Singapore joined the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CPBR) system in March 2018 and has become the third economy after the US and Japan to operationalise the system. As accountability agents, IMDA will ensure the privacy policies and practices of participating organisations comply with the APEC CBPR and Privacy Recognition for Processors (PRP) through independent third-party assessments before certifying them. By appointing IMDA, Singapore has shown a deep commitment “to pursue a better data protection mechanism that does not hinder innovation and development” according to the chair of the APEC electronic commerce steering group, Shannon Coe.
The Singapore Personal Data Protection Commission has also been very robust in its enforcement of the PDPA. In August 2019, five companies were hit with fines totalling S$117,000 for breaching data privacy laws by failing to secure the personal details of their customers and employees. The biggest fine imposed on the five companies was Horizon Fast Ferry (which provides ferry services), amounting to $54,000 for failure to appoint a data protection officer, develop and implement data protection policies and practices, and put in place "reasonable security arrangements" to protect customers' personal data.
Philippines’ Data Privacy Act came into effect in 2016 and regulators have issued recommendations to ensure compliance with data privacy laws. In an effort to comply with the higher standards and obligations set by the GDPR, the Philippines Data Privacy Act of 2012 is now supplemented by rules and regulations mirroring GDPR policies.
The Personal Data Protection Act recently passed in Thailand offers citizens similar protections to the GDPR. Thailand is the EU’s third-largest commercial partner in ASEAN. Therefore, businesses in Thailand must integrate GDPR regulations within their business processes. The Thai Personal Data Protection Act draws various concepts from the GDPR. However, the Thai PDPA reflects concepts developed from Thai perspectives and compliance with the EU GDPR does not necessarily reflect compliance with the Thai PDPA. Therefore, careful examination is crucial in order for companies to fully comply with the PDPA and the GDPR.
Indonesia does not have any comprehensive personal data protection law or regulation that protects Indonesians from misuse of data. In 2018, Google invested $1bn in Go-Jek. Increased foreign investment and a growing digital economy means a national conversation is needed to ensure citizens do not get exploited, as companies are processing consumer data without any regulations. The Ministry of Communication and Information Technology has made efforts to promote and push personal data protection law. For example, the Institute for Community Studies & Advocacy, the Indonesian E-Commerce Association and ICT Watch were established as part of this initiative. However, Indonesian data protection regulation is an ongoing process, as it requires harmonisation of other regulations by related government ministries in Indonesia.
However, there are sector-based laws such as Law No. 11 of 2008 on Information and Electronic Transaction (as amended in 2016), which requires a party that operates an electronic system to implement security measures to prevent failure or disturbance to the electronic systems, including personal data on such systems, and laws specific to the telecoms, banking and capital markets sectors.
Although there is no single legislation governing personal data protection, the Law on Electronic Data Protection 2017 and the law on Prevention and Combating of Cybercrime 2015 contain provisions which protect data privacy and prohibit the use of personal information which could harm a data subject’s reputation.
No single comprehensive law exists to regulate personal data protection in Vietnam. Personal data protection regulations are scattered throughout different pieces of legislation. There is no indication that Vietnam is moving toward a singular data protection law comprising the policies of the EU GDPR.
In January 2019, Vietnam passed a controversial cyber security law. The law imposes onerous conditions, like mandatory data localisation requirements and cross-border data transfer restrictions by requiring that important data generated or collected by offshore entities in Vietnam be kept onshore. It also requires tech companies to share user data if asked by the government and to open a local office in the country.
Cambodia, Myanmar and Brunei
Cambodia also does not have a comprehensive data protection law. There are some general protections of personal data, confidentiality and privacy in the Cambodian Constitution, the Cambodian Civil Code, labour law and sector-specific laws governing banking and financial services and medical ethics. To date, Brunei and Myanmar also have no general data protection law.
Sharon Tan is a partner and Nurul Syahirah Azman is an associate at Zaid Ibrahim & Co. Ms Tan can be contacted on +60 (3) 2087 9999 or by email: firstname.lastname@example.org. Ms Azman can be contacted on +60 (3) 2087 9999 or by email: email@example.com.
© Financier Worldwide
Sharon Tan and Nurul Syahirah Azman
Zaid Ibrahim & Co.