Trying to make sense of the data management scrum in Asia
Data transfers are proving to be an area fraught with risk in Asia, as well as Europe. Careful data management has historically been viewed as a somewhat "European" pre-occupation, but recent developments underline the importance in Asia too.
In Hong Kong, for example, there are significant restrictions on the collection, holding, use and transfer of data. A provision of the Personal Data (Privacy) Ordinance imposes controls on transfers of data offshore. This Ordinance is not yet in force however (despite being almost two decades since its enactment). Nevertheless it is often treated as if it is in effect by market participants, especially banks. In any event, there are signs that this provision may come into force soon, although there remain uncertainties.
Compliance issues often arise in the context of outsourcing, where personal data may be transferred to the service provider for use in the provision of the outsourced services. Many organisations ensure personal data provisions in their customer documentation are sufficiently sophisticated to cater for transfers of personal data to service providers. However, there may be examples where the paperwork is deficient, giving rise to associated risks.
Direct marketing of goods and services to individuals without consent is another aspect of data management which is more tightly controlled now in Asia than previously. New restrictions were introduced in this regard in Hong Kong in 2013. This tougher approach was also evidenced in September 2015 with the convictions of two organisations for breach of these rules; the first to have been processed in the courts. Although the fines imposed were relatively small, the management time and embarrassment may have been more costly.
There are also potential difficulties for M&A transactions, particularly for business sales. Although there is an exemption available for the provision of due diligence material, this exemption falls away when data is no longer used for that purpose. Consents must be obtained by the buyer – a potential difficulty for an acquiring party, where "re-papering" clients is difficult in any event and even more so when positive consent is required from the customer. It raises the spectre of acquiring parties not being able to market directly to their new customers, post acquisition.
Banks often seek to address confidentiality issues by way of consents in customer terms and conditions to the use and transfer of information within large multinational organisations. However much may depend on the precise wording of such terms and there may be regional variations.
The incoming bank recovery and resolution regime in Hong Kong also raises questions about the treatment of data. For example, reorganisations designed to result in enhanced resolvability and the practicalities of dealing with ongoing activities following transfers of businesses and/or when a failing bank goes into resolution. However, it is fair to say that if a bank is in crisis, data protection may not be at the top of the bank's (or regulator's) risk lists.
There is a broader regional context to these risks in APAC. In Singapore, we have seen recently introduced data protection legislation. We have also seen difficulties involved in accommodating strict Korean regulatory requirements into data management structures. This is another area where we see fragmentation of the region at a regulatory level, making it difficult for global organisations to establish a complete "pan-Asian" solution.