Asia’s data privacy frameworks remain highly fragmented. But companies cannot be complacent about more onerous laws in other jurisdictions, says Sarah Pearce at international law firm Paul Hastings.
With the emergence of fintech and added competition from big technology firms venturing into consumer finance, data governance has never been more important. The need to implement an internationally-recognised data management framework (including the requisite policies and procedures) has become crucial.
2019 has been the year of the data breach, where rising public awareness and regulatory pressures worldwide have resulted in more data breach incidents being reported, and fines being imposed for violations of data privacy regulation. This has been driven in large part by the EU’s General Data Protection Regulation (GDPR).
So far, Japan has remained the only country in Asia to granted an Adequacy Decision by the European Commission. It highlights that the rest of Asia Pacific’s privacy laws are fragmented, and that they do not all offer the same safeguards as the EU and Japan.
The EU–Japan Adequacy Decision took effect on 23 January 2019, following a mutual decision made on the basis of each jurisdiction recognising the other’s data privacy regime. The Decision enabled data to flow freely between the two jurisdictions, although the EU demanded Japan put in place additional safeguards before it was granted.
The first “safeguard” required Japan to implement a set of supplementary rules designed to bridge the differences between the EU and Japanese regimes, and to strengthen certain safeguards in Japan’s existing data privacy legislation. Specifically, this included better protection of sensitive personal data, stronger rights for individuals and enhanced conditions under which EU data can be transferred to another third country.
The second safeguard was for Japan to provide assurances that any access by its public authorities for criminal law enforcement would be limited only to what is necessary and proportionate, and subject to independent oversight and effective redress mechanisms.
The third safeguard focused on complaints handling, requiring Japan to implement a mechanism to investigate and resolve complaints from EU persons regarding access to their data by Japanese authorities.
The reason for the additional safeguards was to align the two systems and ensure compatibility such that individuals could benefit from the same – or at least substantially similar – level of protection, if their data were to flow freely between the two regions.
However, since the additional safeguards were imposed, there have been no further updates to Japan’s privacy regime. It will be interesting to see how EU authorities react to this lack of action during an upcoming annual review of the Decision, which is due on its anniversary at the start of 2020.
Should financial services companies in Asia Pacific be wary of foreign regulators finding fault with their protocols and issuing fines? Interestingly, while we have seen an increase in the number of companies facing fines under GDPR, in some instances over USD 100 million, they have largely been multinational companies headquartered in the US. To date, we have not seen any Japanese nor Asia Pacific corporations fall afoul of the foreign data privacy laws.
It is, however, imperative that companies in the region do not forget that regulatory authorities have the power to investigate all companies regardless of size or location, if they fall under the remit of GDPR, which extends beyond the geographical border of Europe, and can include any company holding the data of an EU citizen, resident or traveller. Companies must not be complacent with the thinking that compliance with (the often less onerous) laws of jurisdictions closer to home is of greater importance.
Fines issued thus far have arisen not only in the context of a data breach, but rather on the basis of a lack of effective security – and often stemming from a third-party vendor. The growing popularity of digital payments is forcing businesses to implement appropriate mitigation measures and control mechanisms to manage their exposure to the increased operational and security risks arising in connection with the payment services they provide. Additionally, businesses should establish and maintain effective incident management policies and procedures, including, in particular those focusing on the detection and classification of operational issues and data security incidents.
It is no longer enough for companies to say they will or are taking steps to comply; the accountability principle is live – companies either comply or risk being caught out and subject to the sanctions that the regulators are not afraid to impose. The ultimate responsibility, therefore, comes down to the organisation taking steps to make sure they comply with local and international regulations to which they are subject. It is often too late when regulators find out compliance has not been achieved or is incomplete.
It is vital, for example, that companies have procedures to handle data subject requests. Some commentary has suggested there is insufficient guidance on certain aspects of GDPR and firms have, to some extent, used this as an excuse for non-compliance. There is, however, only so much burden you can place on regulators in terms of guidance because they have a job to do which extends beyond simply producing documentation: they also have to enforce the regulation.
Regulators’ responsibilities are extensive – and they are performing those responsibilities with the time and resources available to them. So, in essence, there is no hiding, it does come down to companies taking notice of the regulation and the obligations it places on them as businesses to actually implement its requirements – and that includes the requisite policies and procedures to deal with the fact that it exists and is being actively enforced.
As we shift to a digital economy, more and more personal data is controlled and processed by companies across the globe, which are often subject to multiple regulations across borders. The urgency becomes alarming with the rise of organisations using artificial intelligence, big data analytics and machine learning, particularly fintech firms whose business model depends entirely on large volumes of consumer data – which often includes highly confidential financial data.
Furthermore, with 5G on the horizon, even more personal data will likely be available and processed across borders more easily, quickly and broadly. Arguably, a more standardised data protection regime worldwide would benefit both the organisations controlling and processing data, and enable individuals to become more aware of their obligations and rights.
Jurisdictions in Asia have made progress in stepping up their privacy regulations over the past two years. Notable examples include China’s cybersecurity law; Sri Lanka and Malaysia’s personal data protection laws, modelled after GDPR; and Philippines’ Code of Ethics and Code of Conduct targeting online lenders.
However, the region’s privacy frameworks remain highly fragmented and Japan is still the only country in Asia that’s been granted the Adequacy Decision so far. It will be interesting to see if Japan can keep its title after the annual review, and if other jurisdictions in Asia will catch up and join the list in 2020.
Sarah Pearce is a Partner in the Privacy and Cyber Security Practice of international law firm Paul Hastings heading up the European team from the firm’s London office.