How has GDPR influenced the evolution of data protection in APAC?

It has been five years since the enactment of the European Union’s General Data Protection Regulation. In that time, data protection around the world has changed significantly. The implementation of GDPR has had a direct impact on privacy law globally. Governments and regulators have looked to Europe as a sandbox for digital policy and have taken their leads from the European experience. 

There have been a number of direct and indirect developments in data protection legislation in APAC. Most lawmakers have taken inspiration from GDPR’s principles of lawfulness, fairness and transparency. Others have increased fines to levels similar or higher than the GDPR. Further data protection developments are underway in a number of key APAC jurisdictions, and we set out an overview of those below.

• In Australia, reforms to the Privacy Act 1988 (Cth) (the Australian Privacy Act) were passed into law at the end of 2022 to: significantly increase the penalties for serious or repeated breaches of privacy; expand the investigatory and enforcement powers of the privacy regulator; and widen the extraterritorial reach of the Australian Privacy Act.

For corporations, the maximum penalties for privacy breaches can now reach the greater of: (i) AUD 50,000,000; (ii) three times the value of any benefit obtained that is attributable to the breach; or (iii) (if the benefit cannot be determined) 30% of the company’s adjusted turnover in the relevant period during which the breach occurred. The privacy regulator has been granted enhanced information gathering powers, particularly in respect of data breaches, and can share information with a wider range of Australian and overseas enforcement bodies, as well as sharing publicly if it is in the public interest to do so. Regarding extraterritoriality, the Australian Privacy Act now captures organisations that carry on business in Australia even if they do not collect or hold personal information in Australia – a standard which may go beyond the extraterritorial reach of the GDPR.

Following these reforms, the Australian government has launched a further, more extensive, review of the Australian Privacy Act to strengthen the protection of personal information in Australia. In February 2023, a report with 116 proposals for reform was released, and public feedback was sought until the end of March. Some of these proposed changes would bring the Australian Privacy Act in line with terminology and practice in the GDPR and introduce GDPR-style concepts that are currently not present in Australian privacy law. These include the introduction of a modified version of the “controller” and “processor” distinction, and a number of data subject rights, such as rights to object, request erasure, and to have search results de-indexed. 

• In China, the government has recently tightened its data-related regulations. The long-awaited Personal Information Protection Law (the PIPL) came into force in November 2021 which forms part of the China data protection regime in addition to the PRC Cybersecurity Law and the PRC Data Security Law. Violation of the PIPL may, in addition to other administrative sanctions, result in a fine of up to RMB 50,000,000 or 5% of annual turnover for the previous year. The person in-charge who is directly responsible for and other personnel may also be subject to personal liability.

Since the implementation of the PIPL, numerous regulations, administrative measures and standards have been issued which provides further guidance on the implementation of China’s data regime. This creates uncertainty and challenges for MNCs to adapt their China business with this constant evolving landscape, compelling them to prioritise high risk areas such as cross-border transfer of data.

Whilst the PIPL is modelled upon the GDPR, the current PRC data regime extends to data security issues beyond personal data protection. Certain sensitive data, either by nature or by volume, has to undergo a security assessment before it is transferred outside of China. Clearly identifying such data has proven to be challenging for many MNCs at this stage.

With technological advancement, China has seen the need to regulate the use of generative AI with a view to promoting ethnical development and use of innovative tools. Given the significant role of data in generative AI, we expect that the data regulatory landscape will keep evolving in response to ever-changing technological developments.

Insofar as enforcement is concerned, the most notable case relates to the action taken against Didi in July 2022 where a fine exceeding RMB8 billion (approximately Euros 1.16 billion) was imposed on Didi and its chairman / CEO were held personally liable for the violations. The regulator has been increasingly active since China re-opened its borders early this year. There have been a number of high profile dawn raids that have shown a focus on national security through the lens of data compliance.

• In Singapore, we have had the first comprehensive review of the Personal Data Protection Act 2012 with the majority of amendments coming into force in 2021 and 2022. The most notable changes were a mandatory data breach notification regime, increased financial penalties and a new data portability obligation. These are all concepts and thresholds that exist under the GDPR.

Organisations are now obligated to notify the Personal Data Protection Commission (PDPC) and affected individuals of any data breach (with certain limited exceptions applying). Further, if the PDPC is satisfied that an organisation has intentionally or negligently contravened certain provisions of the PDPA, the PDPC can impose a financial penalty. Previously, the financial penalty cap was S$1 million. Now, for contraventions on or after 1 October 2022, the maximum penalty is S$1 million or, if it is an organisation whose annual turnover in Singapore exceeds S$10 million — 10% of the annual turnover in Singapore of that organisation. This is a threshold much closer to the GDPR penalties.

The new data portability obligation gives data subjects the right to ask an organisation to transfer their personal data to a different organisation, unless there are valid reasons to refuse. This gives data subjects in Singapore greater autonomy over their data.

While no further significant changes to the Singapore data protection landscape are expected, we are likely to see an increasing number of companies conducting a review of their internal data protection policies and processes (similar to what has happened in Europe), to ensure compliance with the Singapore PDPA and avoid the potentially higher financial penalties.

• In Indonesia, the government has passed an overarching law on data protection as set out in Law No. 27 of 2022 on Personal Data Protection (PDP Law) which came into effect on 17 October 2022. Prior to the enactment of PDP Law, data protection regulations in Indonesia were governed under multiple sporadic. Other than unifying the rules and principles on personal data protection, the PDP Law adopts many of the provisions set out in the GDPR and imposes more stringent requirements as well as stiffer sanctions.

The PDP Law marks a significant shift in Indonesia that would have implications to all businesses, individuals and public institutions. While there is a two-year grace period to allow parties to adjust to the PDP Law and implementing regulations are forthcoming, businesses should brace themselves to make the necessary adjustments to comply with the requirements under PDP Law. The obligations put emphasis, on, among others (i) consent requirement, (ii) breach notification, and (iii) rights of data subjects.

One of the key provisions under the PDP Law is the introduction of a new authority specifically designated to oversee personal data protection (PDP Authority). Once formed, the PDP Authority will report to the President and have a broad range of authorities. Another notable change under the new law is the stricter sanction regime that would broadly apply to most of the substantive obligations in the PDP Law. A point worth highlighting is that for legal entities, the administrative fines will be up to 2% of the entity’s annual revenue. It is not clear whether the revenue refers to the global revenue for multinational companies. Nonetheless, this is a breakthrough for Indonesia, as the PDP Law is currently the only law in Indonesia that imposes fines based on a percentage of an entity’s revenue.

• In Vietnam, we recently had the first comprehensive legal document that governs the protection of personal data, namely Decree No.13/2023/ND-CP on Personal Data Protection (the PDPD). The PDPD will come into force on 1 July 2023, and will have extra-territorial scope. Under the PDPD, data protection must follow the principles of lawfulness, transparency, purpose limitation, data minimisation, accuracy, integrity, confidentiality and security, storage limitation, and accountability.

Taking guidance from the GDPR, in principle, all data processing operations require the data subject’s consent, which must be voluntary and clearly expressed. The data subjects’ silence or lack of response does not constitute effective consent. Nonetheless, the PDPD sets out certain specific circumstances under which personal data could be processed without consent of the data subjects (e.g. in case of emergency to protect the life and health of data subjects, or in case the disclosure of personal data is required by specialised law, etc.).

The PDPD also provides for a regime for cross-border data transfer under the supervision of the Ministry of Public Security. In particular, the transfer of personal data of Vietnamese citizens abroad requires a transfer impact assessment, as well as a post-transfer written notice sent to the Ministry of Public Security. The Ministry of Public Security may conduct regular or extraordinary inspections on cross-border data transfers, and may suspend the transfer if it violates national interests and security, if a transfer impact assessment is not provided (or is incomplete), or in case of a security incident involving personal data of Vietnamese citizens.

At this stage, the PDPD is expected to serve as a basis for the evolution of data protection law in the coming years.

• Thailand enacted the first comprehensive piece of legislation on data protection, the Personal Data Protection Act B.E.2562 (Thai PDPA), on 27 May 2019 which became fully effective on 1 June 2022. The Thai PDPA applies to data controllers and data processors, both inside and outside Thailand, that collect, use, or disclose personal data of data subjects who are in Thailand, unless an exemption applies. While there are several similarities between the Thai PDPA and the EU GDPR – for example, the legal basis for collecting and processing personal under both laws include performance of contract, compliance with legal obligations and legitimate interest and both laws impose conditions and restrictions on the transfer of personal data to third countries – there are also some distinctions that a GDPR-compliant business operator should take not when implementing the Thai PDPA.

The Thai PDPA provides for both civil and criminal liabilities for data controllers and data processors who breach the law, as well as for their directors, managers, or representatives. The civil liabilities include compensation for damages and injunctive relief, while the criminal liabilities include imprisonment of up to one year and fines up to 5 million baht (about 160,000 USD).

The Thai PDPA is still undergoing development and refinement, as some of its provisions are vague, ambiguous, or inconsistent, and some of its subordinate regulations, guidelines, and codes of conduct have not yet been issued or finalized. The lack of predecessor law and precedent on the interpretation and implementation of data privacy law in Thailand has resulted in challenges in terms of awareness, readiness, and compliance among data controllers, data processors, and data subjects, as well as in terms of enforcement and coordination among the authorities and stakeholders.

Privacy issues are only becoming more important as we live more of our lives online and as new technologies, such as artificial intelligence, come to the fore. We believe that business leaders across APAC need to continue to keep an eye on how digital and privacy issues are evolving in the EU and the rest of APAC if they want to understand how their own market may change in the next five years.

For further information on the privacy developments in APAC, listen to our ASEAN Data Protection and Privacy Developments podcast series.