Most businesses now collect, store and use personal information in some way. For organisations that operate in and throughout the Asia Pacific region, it is critical to recognise that there are different data privacy regimes that apply in the region and an organisation-wide compliance program must be considered.THE BASICS – THERE IS A NEED FOR COMPLIANCE
- There are currently over 80 countries around the world with data privacy laws in place. This number is expected to rise and the laws are here to stay. Significantly, data privacy laws are implemented and enforced differently in each country.
- Data privacy, or data protection, laws regulate the use of "personal data" by organisations to protect certain rights of individuals – organisations are not free to use personal data at will.
- Generally, "personal data" means information about an individual who can be identified from that information. This is broad and it is not always the same in every country
- It is very difficult to think of any business that does not use personal data. Does your organisation have employees, clients, contractors, agents, suppliers, customers or patients? Does your organisation transfer, store or outsource personal data? Does your organisation carry out direct marketing? If you can answer yes to any one of these questions, then you are using personal data and therefore should be thinking about data privacy compliance.
- The risks of non-compliance are significant. Depending on the jurisdiction, there are risks of criminal offences, fines, civil actions, investigations and enforcement actions. There is also the risk of regulatory damage, impact on share price and compliance gaps can slow down or impact the sale of a business or its initial public offering potential.
A LOOK AT DATA PRIVACY ACROSS ASIA PACIFIC
The Asia Pacific region has seen the most rapid development in privacy laws in recent times. Some highlights include:
- Australia is in the process of strengthening its existing privacy laws. Under the newly-proposed Australian Privacy Principles, a local company may be deemed as non-compliant if a foreign third party to whom personal data is transferred is found to be non-compliant.
- It is commonly thought that China does not have any data protection laws. However, there are laws that regulate data under banking and telecommunications regulations.
- Hong Kong has introduced penalties under data privacy law and new criminal offences that may result in a prison sentence (eg for the unauthorised sale of personal data). This development followed on from the Octopus case when it was revealed that the smart card operator sold the personal information of over one million card users. Since then, there have been further criminal prosecutions, including against a bank for failing to implement opt outs for customers.
- New laws are coming into force in India to strengthen its existing data privacy landscape.
- There are moderate levels of regulation in Japan, but enforcement is currently limited because there is no centralised regulator.
- A strong regime has been proposed in Malaysia, which authorises jail sentences for non-compliance and imposes joint and several liability on directors, CEOs or other senior officers of non-compliant companies, but its enforcement has been delayed for some time now.
- In April 2011, New Zealand came a step closer to being recognised as an "adequate" jurisdiction by the European Community. The Article 29 Working Party, a key European data protection working party, issued an opinion that New Zealand ensures an adequate level of data protection for the purposes of the European Data Protection Directive.
- Final touches are being made to the first data privacy law to be introduced in the Philippines.
- South Korea's tough new law came into force in September 2011, under which it is very difficult to collect personal data.
- In Taiwan, a major amendment to the existing personal data legislation was passed by the legislature in April 2010 and is soon to come into force, significantly expanding the definition of personal data and its application to a broader range of individuals, entities and more of the private sector.
- In Vietnam, consumer protection law protecting consumer data took effect in July 2011.
- In Singapore, the Parliament is expected to pass comprehensive data privacy legislation before the end of 2012.
AN INCREASINGLY COMPLEX AREA OF REGULATION
In addition to the high level of activity in Asia Pacific, the existing data privacy regime in Europe is currently undergoing a significant review and new European data protection regulations are expected.
This is important to organisations that operate in Asia Pacific as certain data protection regimes have extraterritorial application. For example, even if you are not "established" within the United Kingdom, its data protection laws might apply to your operations if you use equipment in the UK to process personal data other than for the purposes of transit. Therefore, a best-practice data privacy compliance solution needs to have a global orientation.
WHERE ARE WE NOW?
Data privacy laws are here to stay and will continue to develop. Given the increased risk of regulatory interest, investigations, fines and sanctions, it is key for any global business to develop its compliance position on its own terms and timeline rather than at the direction of a regulator.
However, our sense is that many global companies have not risen to the compliance challenge posed by the growing body of data privacy laws around the world. Common issues we see include:
- The basics of data privacy not being understood and the consequential risks for a company not being recognised or dealt with to the standards required by regulators
- Data privacy issues being addressed on an ad hoc basis to deal with specific compliance questions as they arise. For example, organisations often ask for advice to put in place a data transfer agreement for one project, which can be ineffective, because it only deals with one problem
- A failure to consider a full solution or an end-to-end data privacy compliance program.
WHAT CAN YOU DO?
For organisations that operate in more than one jurisdiction, an organisation-wide approach should be adopted. The DLA Piper model for tackling this is:
1 – The internal audit: Understand what personal data the organisation collects and how it is used. This means examining all personal data collection points and subsequent usage, including for the purposes of processing, cross-border data flows and third-party disclosures.
2 – compliance assessment: Based on the results of the internal audit, an organisation needs to understand the extent of any global data protection compliance issues it potentially faces. The compliance findings will need to be raised at board level, as "top-to-bottom" organisational engagement will be required to implement an effective compliance solution.
3 – Data privacy compliance program: A detailed "functional" data protection compliance program will need to be developed based on the organisation's specific situation. It will need to be calibrated across the relevant jurisdictions and address both internal and external data flows and use.
4 – Ongoing vigilance: Data protection compliance requires ongoing vigilance to ensure continued compliance. Every organisation should self-check that it is actually following its own policy and that it is up-to-date with current business operations.
THE PATH TO COMPLIANCE
While data privacy is a complex area of law to put into practice, and perfect compliance with all applicable regulations at all times is virtually impossible in light of commercial reality, implementing an appropriate compliance solution is not. Solutions for compliance on a regional or global basis are already well understood and implementation of an effective data compliance regime is not as onerous as some organisations might perceive and fear.
HOW CAN DLA PIPER SUPPORT GLOBAL COMPANIES DEALING WITH DATA PRIVACY ISSUES?
DLA Piper has assisted a number of global companies to implement best practice global compliance programs that span multiple jurisdictions. We offer a solution that is flexible to fit any global organisation's profile, whether this solution is something that the company has already started to implement or wants to get off the ground.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com