International: Update on privacy related legislation in APAC region
Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era. OneTrust DataGuidance provides an overview of the status of current privacy/data protection bills in Australia, Brunei Darussalam, India, Malaysia, Mongolia, Myanmar, Pakistan, Sri Lanka, Thailand, and Vietnam.
The key legislation governing data protection in Australia is the Privacy Act 1988 ('the Privacy Act'), which also contains the Australian Privacy Principles ('APP'). The Australian Government is currently in the process of an overarching review of the Privacy Act, with public comments on its Discussion Paper open until 10 January 2022. In particular, the Discussion Paper proposed several amendments to the Privacy Act, which included, among other things:
- a non-exhaustive list of information capable of being covered by the definition of personal information;
- the introduction of a requirement that the collection, use, or disclosure of personal information under APP 3 and APP 6 must be fair and reasonable in the circumstances; and
- the introduction of a requirement that the use or disclosure of personal information for the purpose of influencing an individual's behaviour or decisions must be a primary purpose notified to the individual when their personal information is collected.
Further to this, the proposed Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 ('the Online Privacy Bill') was also proposed, and if adopted would introduce a binding online privacy code for social media and certain other online platforms. In addition, the online privacy code would increase both penalties and enforcement measures, aiming to address the pressing privacy challenges posed by such platforms.
Submissions in response to the exposure draft of the Online Privacy Bill and consultation Regulation Impact Statement were being accepted until 6 December 2021. The Australian Government is currently considering submissions made and has confirmed it will use the submissions and feedback received to shape the development of the Online Privacy Bill, before it is introduced to the Parliament of Australia.
Brunei Darussalam does not currently have a data protection legislation. On 20 May 2021, the Authority for Info-Communications Technology Industry of Brunei Darussalam ('AITI') published its public consultation of the proposed Personal Data Protection Order ('PDPO') which would introduce a comprehensive data protection regime for Brunei. Moreover, a response feedback paper on the public consultation was published by the AITI, on 3 December 2021.
The PDPO – in its current envisioned format – establishes obligations and requirements for organisations (similar to the concept of data controllers under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) and aims to introduce three data subject rights, namely the right to access, withdraw consent, and rectification. Notably, the PDPO does not offer a distinction between types of personal data such as sensitive personal data, instead all obligations found under the PDPO apply to all types of personal data.
In addition, the proposed PDPO, would introduce a requirement to appoint a data protection officer ('DPO') for handling compliance under the PDPO, alongside a consent obligation and a purpose limitation obligation which sets out limitations for the collections, use, and disclosure for personal data. Lastly, the proposed notification obligation requires notifying the collection of personal data and the purposes for such collection, use, or disclosure.
The AITI has clarified in its latest publication that the finalised PDPO is expected to be published by mid-2022 with a grace period of two years. The next steps for the AITI are to introduce a finalised draft for commencement and the signing of the draft into the Gazette by His Majesty the Sultan and Yang Di-Pertuan of Brunei Darussalam.
In the absence of a comprehensive privacy law, the current data protection framework in India is framed around the Information Technology Act, 2000 ('the IT Act'). Notably, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules') imposes obligations to protect personal information on entities engaged in commercial or professional activities, focusing particularly on sensitive personal information.
That said, India's privacy landscape is set to change substantially with the Personal Data Protection Bill, 2019. Introduced in 2019 following the Supreme Court's landmark decision in the case of Justice K S Puttaswamy and Anr. v. Union of India and Ors. [Writ Petition (Civil) No. 494 of 2012], the Bill had been subject to severe delays throughout in 2020 and 2021. After much anticipation, the Joint Parliamentary Committee ('JPC') tabled its report on the Bill in December 2021, putting forward a total of 93 recommendations and a revised version of the bill to be renamed the Data Protection Act, 2021. If enacted, the proposed Act would apply to both personal and non-personal data, while also maintaining strict data localisation requirements and introducing new provisions to govern social media platforms.
Currently, it is unclear whether the Bill will proceed within the Indian Parliament, or whether a new bill will be presented, in light of the significant changes proposed by the JPC and stakeholder pushback received in response. However, as ministries and governmental bodies across the Indian Government continue to issue their own guidelines and policies on data protection, particularly for the health and financial sectors, it is evident that a unifying privacy law will remain a key priority for legislators in 2022.
Data protection in Malaysia is primarily governed by the Personal Data Protection Act 2010 ('PDPA'). The PDPA is supplemented by subsidiary legislation which govern, among other things, data user registration, classes of data users, and fees. In addition, the Department of Personal Data Protection has released data protection standards, as well as codes of practice for various sectors including banking and finance, energy, and insurance.
On 14 February 2020, a public consultation paper which provided proposed amendments to the PDPA was released. If adopted, the amendments would introduce significant changes to Malaysia's data protection regime. In particular, the proposed amendments recommend the obligatory appointment of a DPO, mandatory breach reporting, the introduction of civil litigation against data users, implementation of technical and organisational measures such as data portability and Privacy by Design, as well as the broadening of the PDPA scope to data processors. Many of the proposed amendments have been inspired by the GDPR and aim to bring the PDPA in closer alignment with European data protection standards.
Following the public consultation, on 26 August 2020, the Ministry of Communications and Multimedia Malaysia confirmed that the Government of Malaysia is still considering whether to amend the PDPA, noting that the Government will submit any decision to the Cabinet of Malaysia.
Mongolia does not currently have a comprehensive data protection legislation. Data protection in the region is primarily governed by the Law of Mongolia on Personal Secrets 1995 which established protection for personal secrets, which may include personal information. In addition, the Constitution of Mongolia provides a right to protect the privacy of citizens and their families, correspondence, and the inviolability of their homes.
On 9 August 2021, the Standing Committee on Innovation and e-Policy and the Standing Committee on Legal Affairs jointly discussed a Draft Law on the Protection of Personal Information ('the Draft Law'). If adopted, the Draft Law would represent the first comprehensive data protection legislation in the region. The Draft Law establishes, among other things, grounds for the collection, processing, and use of personal as well as sensitive information, data subject rights, and responsibilities for data controllers in areas such as international data transfers and vendor management. More specifically, and similar to the GDPR, the Draft Law establishes terms including biometric, health, and genetic data, as well as digital identifiers, and requires the relationship between data controllers and data processors be governed by a contract.
The Draft Law has been submitted to the Parliament of Mongolia, which is considering whether the draft will be discussed by the standing committee.
While there is no general data protection law in Myanmar, the Constitution of the Republic of the Union of Myanmar 2008 and the Law Protecting the Privacy and Security of Citizens (Union Parliament Law 5/2017) 8 March 2017 set out provisions for the protection of privacy and security of communications. These are supplemented by sectoral legislation, such as the Telecommunications Law 2013, which contains provisions related to the confidentiality of personal information.
On 18 May 2021, OneTrust DataGuidance confirmed with Dr Ross Taylor, Counsel and Head of Financial Services at Tilleke & Gibbins, that the State Administration Council had adopted amendments to the Law Protecting the Privacy and Security of Citizens (2017) ('the Privacy Law') and the Electronic Transactions Law (2004) ('the Electronic Transactions Law'). Taylor clarified that the amendments address the Government of Myanmar's power to carry out wide-ranging surveillance and investigation activities and also suspend various sections of the Privacy Law which previously established limits to such activities in view of individual privacy rights. Notably, Taylor also highlighted that the amendments introduce an exception under the Electronic Transactions Law allowing the Government to obtain personal data for purposes related to the stability, tranquillity, and national security of the State.
Data Protection in Pakistan is currently governed by the Prevention of Electronic Crimes Act, 2016 ('PECA') which provides a legal framework for various kinds of electronic crimes and also extends to the unauthorised access to personal data. In 2018, the Ministry of Information Technology and Telecommunication ('MOITT') introduced the first bill ('the 2018 Bill'), which has since been replaced with the Personal Data Protection Bill 2021 ('the Bill'). The Bill goes further than the 2018 Bill, regulating controllers and processors of personal data in Pakistan.
In addition, the Bill would establish a National Commission for Personal Data Protection ('the National Commission') which would be responsible for the monitoring and enforcement of the data protections obligations set out. The main responsibilities of the National Commission would include prescribing standards to protect personal data from any loss, misuse, modification, unauthorised, or accidental access or disclosure, alteration, and destruction. Furthermore, following the changes made by the Bill to the 2018 Bill, revisions include new definitions for 'legitimate interest', 'public interest', and 'vital interest'. The Bill has clarified its scope of application, providing that any controller or processor that is incorporated in any other jurisdiction, but otherwise digitally or non-digitally operational and involved in commercial or non-commercial activity within Pakistan.
The Bill was formerly released for public consultation and has since been approved by the Federal Cabinet of Pakistan on 16 February 2021. Accordingly, the Bill has still to be considered and debated by the National Assembly of Pakistan, whereafter it may be adopted, and promulgated by the President of Pakistan.
In Sri Lanka, privacy rights are currently guaranteed under the Constitution of the Democratic Socialist Republic of Sri Lanka 1978 and addressed through a number of regulations pertaining to cybercrimes, electronic transactions, and other specific sectors. With the aim of modernising this patchwork legislation, the Sri Lankan Parliament passed the Bill to provide for the Regulation of Processing of Personal Data (2021) with amendments on 9 March 2022, marking the end of several rounds of revisions which first began in 2018.
Upon its entry into force, the Bill is expected to strengthen the rights of data subjects, as well as provide for the establishment of the Data Protection Authority of Sri Lanka. Furthermore, the Bill is expected to contain extensive obligations for both data controllers and processors, including requirements to implement a 'Data Protection Management Programme' and restrictions in relation to cross-border data transfers. Finally, the Bill is also expected to provide financial penalties of up to LRK 10 million (approx. €39,930) and to be further implemented through supplementary regulations.
As of 11 March 2022, the finalised version of the Bill has not been made publicly, although it is currently waiting to be formally endorsed. Based on the version of the Bill published in November 2021, its provisions are expected to take effect on such date notified by relevant Minister, with some provisions subject to a two-to-four-year transition period.
The Personal Data Protection Act 2019, commonly referred to as the PDPA, is the first consolidated data protection law in Thailand, and was scheduled to come into full effect on 27 May 2020. The initial enforcement of the PDPA was on 27 May 2020, however, due to the impact of the COVID -19 pandemic on businesses within Thailand, the enforcement date was subsequently postponed to 1 June 2021, and postponed for a second time to the 1 June 2022 citing further negative impacts of the pandemic to businesses and society.
The PDPA establishes a comprehensive data protection regime to be introduced to provide guarantees on the protection of personal data for individuals, and imposes obligations on businesses when collecting, using, and disclosing personal data. The PDPA has several similarities to the GDPR including data subject rights, the introductions for legal bases of processing, and the obligations that are set out to controllers and data processors. One main distinction between the two legislations is the omission under the PDPA if the definition to 'sensitive data', nonetheless the PDPA imposes stricter consent obligations to the collection, use, and processing of 'personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee'.
The Ministry of Digital Economy and Society ('MDES') acting as an interim authority with limited powers of the Personal Data Protection Committee ('PDPC'), established a diligent rapport on the development of guidelines and supplementary laws to the PDPA and the establishment of the PDPC. Most recently, the PDPC was officially established on 11 January 2022 – however, at the time of publication, no website is currently publicly available. Furthermore, the MDES under its interim power as the PDPC, introduced, on 6 December 2021, eight draft secondary laws which introduced further statutory clarifications on the PDPA, more notifications and regulations are expected, as the issuance of notifications and regulations must be published under the statutory requirements of Article 96 of the PDPA, within one year from the effective date of the law.
Vietnam does not have a consolidated piece of legislation of the protection of personal data, with rules and regulations on the protection of personal data residing within the Law on Cyber Information Security No. 86/2015/QH15 (19 November 2015) ('LCS'), the Civil Code 2015 (November 4, 2015) ('the Civil Code'), and the Law on Electronic Transactions No. 51/2005/QH11 (29 November 2005). However, in February 2021, the Ministry of Public Security ('MPS') released a draft Decree on Personal Data Protection which was submitted for public comment in 2021 and remains under review.
In particular, the draft Decree will establish a Personal Data Protection Commission which will be responsible for enforcing obligations relating to personal data, personal data processing, the handling of violations of personal data, and the responsibility to protect personal data of relevant agencies organisations and individuals. Further, the draft Decree extends data protection principles, providing for principles such as, among others, legality, purpose limitation, data minimisation, restriction of use, and confidentiality. More significantly, the draft Decree establishes what constitutes sensitive personal data, providing that sensitive data must be registered with the Personal Data Protection Commission before processing. In addition, the draft Decree now provides for the procedure and bases under which personal data may be transferred outside of Vietnam, alongside applicable conditions that must be met.
Recently, the Deputy Prime Minister of Vietnam on 7 March 2022, approved a Resolution on the Dossier to Develop the Decree on the Protection on Personal Data, providing results following the Decree's public consultation ('the Resolution'). More specifically, the Resolution outlined the circumstances where personal data may be processed without the consent of the data subject.
Keshawna Campbell Lead Privacy Analyst
Karan Chao Senior Privacy Analyst
Theo Stylianou Privacy Analyst
Chanelle Nazareth Privacy Analyst
Harry Chambers Privacy Analyst