As part of my ongoing research into data privacy laws in Asia Pacific (AP), I spoke with chief information security officers (CISOs), consultants, lawyers, and governance, risk, and compliance (GRC) professionals. This is critical to gauge key decision-makers’ awareness and understanding of the ever-evolving data privacy regulations and policies across 15 different jurisdictions in the region.
Some senior people have admitted to me that their organizations have not traditionally taken data privacy issues terribly seriously within their AP operations. However, in a clear sign that this is beginning to change, GRC practitioners are starting to see increased demand for their compliance-related services from both government and business sectors, particularly since late 2012. Regardless of where you stand on this spectrum, the reality is that the awareness levels of data-related regulations – and the level of compliance required to abide by these regulations – varies widely across the region.
This should not be particularly surprising. The concept of “privacy” or “right to privacy” is relatively new in large parts of the region, and legislative environments are highly fragmented among AP countries. With drastic economic changes and technology advancement under way, many AP governments have imposed sector-based data privacy and security measures, aiming to regulate telecommunication network infrastructure and banking systems in particular.
Below are some of the broader trends we’re seeing across the region:
· Data privacy legislations are expanding and changing – A number of ASEAN governments have recently enacted or are planning to enact new privacy laws including Malaysia, the Philippines, and Singapore. Australia and New Zealand (A/NZ) are seeking to accommodate tighter privacy protection and have been debating the need for mandatory data breach notification.
· But, most jurisdictions fail to meet EU standards – The commonwealth nations, A/NZ and Hong Kong, developed comprehensive privacy laws with a single supervisory agent at an earlier stage than other Asian markets during the late ’80s and ’90s. New Zealand is the only jurisdiction that is considered to have “adequate protection” by the EU-directive up to date.
· Penalties for noncompliance are increasing – Recent amendments of existing privacy laws in Australia and Hong Kong allow the Privacy Commissioner to enforce significant data breach penalties. Violation of a newly enacted data privacy regulation by network service providers in China may result in financial penalties, cancellation of business permit, and/or criminal punishment.
· Cross-border transfer of personal data is unevenly controlled by different jurisdictions – Similarly to the EU, some jurisdictions like Australia, Hong Kong, and South Korea only permit personal data transfer when the destination country has adequate data protection and/or obtained prior consent from individuals. Other conditions may apply, or exporting personal data is not explicitly regulated by law in other markets in Asia.
Our recently published report titled “What You Must Know About Data Privacy Regulations In Asia Pacific” provides more detailed analysis and presents best practices for staying on top of these evolving requirements. What is your organization doing to comply with data privacy regulations? As always, I welcome your feedback and comments.