Asian Data Privacy Laws
2013 Roundtable
Professor Graham Greenleaf AM
Professor of Law & Information Systems,
University of New South Wales
Asia-Pacific Editor, Privacy Laws & Business International Report
Pinsent Masons, London, 1 October 2013
Asia – 28 jurisdictions but no centre - No Brussels,
Strasbourg, ECJ, ECtHR, Directives, no A29WP
Asia in global context: mid-2013
• Significant 2011-13 events in half of the 28 jurisdictions
– 12 Asian jurisdictions now have data privacy Acts, covering both
sectors (6) or their public sector (2) or private sector (4) only
– Add China & Indonesia with substantial IT sector laws = 14
– 5 of these have very substantially strengthened their laws recently
– 2 laws are only yet partially in force
– 1 more has a Bill pending for a new law extending existing
coverage, and Bills are reported in draft in others
• Every law differs substantially from all others
None yet have EU ‘adequacy’ findings or CoE 108 accessions
• Information on national laws is very hard to obtain
– Key documents are often not available in European languages
– Information about enforcement & complaints is even harder to find
Global development of data
privacy laws & standards
1. The global context
How many countries have data privacy laws?
What is the global trajectory of development?
What Principles do these laws apply?
2. How do we evaluate & compare these laws?
Standards for data privacy principles
Comparing enforcement: responsive regulation
Comparing data export laws (special focus)
How many countries now have
data privacy laws?
What is a ‘country’ for this purpose?
– A separate legal jurisdiction (eg HK, Macau, Jersey, Greenland)
What’s a law?
– It’s a law: not self-regulation or trustmarks
– But any type of enforcement by law must be accepted
– This is only a Q of whether a DP law exists, not ‘adequacy’
What scope must a law have?
– Must cover either or both of private and public sectors
– Almost all cover both public & private sectors
– 5 Public sector only (must cover national government)
– 6 Private sector only (Must cover most of sector)
What content must a data privacy law have? …
4. What content must a data
privacy law have?
• The ‘basic’ standard of all international agreements
– Initially OECD Guidelines (1980) & CoE Convention (1981)
– Also shared by EU (1995) and APEC (2004)
• Must include ‘most’ basic principles
– Can’t require all 15, or too strict
– Eg no explicit ‘openness’ principle in 5/10 Asian laws
• Testing against 10 Asian laws: averaged 13.6/15
– India & Malaysia’s 11/15 is probably minimum acceptable
– Vietnam was 11/15, now 13 through new 2013 Decree
• Conclusion: Must include minimum 11/15
– including access/correction + security + some finality
‘Basic’ principles in 10 Asian laws
Collection ‘limits’ (‘not excessive’)
Collection by lawful means
Collection by fair means
Purpose of collection ‘specified’ by
time of collection
Collection with knowledge or consent,
when from data subject
Data quality – relevant, accurate,
complete & up-to-date
Uses limited to purpose of collection,
with consent or by law
Disclosure limited to collection
purpose, with consent or by law
Secondary uses and disclosures only
allowed if compatible
Secondary purpose ‘specified’ at
change of use
Security safeguards – ‘reasonable’
Openness re personal data policies
Access to individual personal data
Correction of individual data
Accountable data controller
Total /15
0 0
0 0
0 X
Comparison of 10
X 0
0 0
0 0
How many countries now have
a data privacy law?
• A: 101 (as at 30 August 2013)
– Article in materials is to June 2013
– + add Kazakhstan and South Africa
• 90/101 cover both sectors
– 5 Public sector only (Thailand, Yemen,
USA, Nepal, Zimbabwe)
– 6 Private sector only (Vietnam, Singapore,
Malaysia; India, Qatar & Dubai SEZs)
Result: 101 countries now have data privacy laws
To this map, add Kazakhstan and South Africa – new Acts since mid-2013
Map created by interactive maps:
22 Acts & 19 Bills this decade
Acts 2010
Acts 2011
Acts 2012
Acts 2013
Faroe Is.
Costa Rica
South Africa
St Lucia
Ivory Coast
+ 5 others in
Trinidad &
105-10 data privacy laws by 2015?
This map adds 20 countries with known official data privacy Bills
Map created by interactive maps:
Jurisdictions by decade: From rare to common
New in Decade
Exis ng
101 jurisdictions with data privacy laws by August 2013
Regional spread of data privacy laws
By Region
Australasia: 2
Pacific Is: 0
Asia: 12
La n Am: 9
North Am: 2
Sub-S Africa: 11
N. Af/M-East: 6
Central Asia: 2
Caribbean: 4
EU: 28
Other Eur: 25
101 laws: 53 European, 48 outside Europe (August 2013)
Data privacy laws beyond Europe
• A: 47/100 jurisdictions are outside Europe
– EU: 28 (all); Other European: 25 (2 not: Turkey, Belarus)
– Asia: 12; Latin America: 9; Sub-Saharan Africa: 10;
N.Africa + M-East: 6; Caribbean: 4; A’asia: 2; N.
America: 2; Central Asia: 2
• Implications:
– Most of the world is adopting data privacy laws: no
longer a ‘European thing’
– Most growth will now occur outside Europe
– By 2014-16, the majority of laws will be outside Europe
– When most of the commercially significant world has
such laws, the focus will not be European ‘data exports’
Countries with no Acts or Bills
Afghanistan; Algeria; Bahrain; Bangladesh; Belarus; Belize;
Bermuda; Bhutan; Bolivia; Botswana; British Virgin Islands; Brunei
Darussalam; Burundi; Cambodia; Cameroon; Central African
Republic; Chad; China; Comoros; Congo, Republic; Congo
Democratic Republic; Cuba; Djibouti; Ecuador; Egypt; El Salvador;
Equatorial Guinea; Eritrea; Ethiopia; Fiji; Gambia; Guatemala;
Guinea; Guinea-Bissau; Guyana; Haiti; Honduras; Indonesia; Iran;
Iraq; Jordan; Kiribati; Korea, North; Kuwait; Lao PDR; Lebanon,
Lesotho; Liberia; Libya; Malawi; Maldives; Marshall Islands;
Mauritania; Micronesia; Mongolia; Mozambique; Myanmar;
Namibia; Nauru; Oman; Pakistan; Palau; Palestine; Panama; Papua
New Guinea; Rwanda; Samoa; Sao Tome and Principe; Saudi
Arabia; Sierra Leone; Solomon Islands; Somalia; Sri Lanka; Sudan;
Suriname; Swaziland; Syria; Tajikistan; Timor Leste; Togo; Tonga;
Turkmenistan; Tuvalu; Uganda; United Arab Emirates; Uzbekistan;
Vanuatu; Vatican; Venezuela; Zambia
China and Indonesia already have significant IT sector laws
Jurisdictions by decade: Diffusion to ubiquity
Accelera ng
Linear Growth
New in Decade
Exis ng
101 jurisdictions with data privacy laws by August 2013,
with projections to 2020 (linear = 139; accelerated = 160)
Consequences of globalisation
• Ubiquity of data privacy laws in countries of
economic/political significance by 2020
– USA and China the main outliers (private sector)
• European laws (EU & CoE) soon in a minority
– EU laws are only 28% at present, and falling
• Laws with strong data export restrictions are not
limited to the EU, or to Europe
• ROW laws expand, strengthen, and are enforced
– Google: Korea (TOS) and Macau (Streetview)
• Results:
– Weak national laws may cause multilateral complexities
– Need for an internationally accepted standard increases
– ‘Interoperability’ begs the Question: ‘on what basis?’
What fundamentals
should we look for?
A = Principles; B = Enforcement; C= Data exports
(A) Standards for principles
• Over 30+ years, 2 standards emerged
1. 1st Generation - ‘Basic’ Principles
OECD (1981); CoE (1981); APEC (2005)
Also incorporated in ‘European’ principles
2. 2nd Generation - ‘European’ principles
EU Directive (1995); CoE Additional Protocol (2001)
• Will 3rd Generation principles emerge?
Possible from EU Regulation and CoE
Not from OECD revision or APEC
• Which Principles are enacted globally?
Basic data privacy Principles
(OECD & EU hold 1-10 in common)
Collection - limited, lawful and by fair means; generally with consent
or knowledge (OECD 7)
Purpose specification at time of collection (OECD 9)
Notice of purpose and rights at time of collection (OECD ambiguous)
Uses (including disclosures) limited to purposes specified or
compatible (OECD 10)
Data quality (relevant, accurate, up-to-date) (OECD 8)
Security through reasonable safeguards (OECD 11)
Openness re personal data practices (OECD 12) [not specific in EU]
Access, individual rights of (OECD 13)
Correction, individual rights of (OECD 13)
10. Accountable Data controller with task of compliance (OECD 14)
We will assume these 10 basic principles in laws
discussed, and focus on (I) where one is absent or (II)
additional principles
What standards are enacted globally?
– ‘Basic’ only or ‘European’?
1. Must first answer: ‘what are European data
privacy standards?’
2. Approach: What is required by the EU Directive
but not required by the OECD Guidelines?
3. Identified the 10 key differences as ‘European
standards’ (next slide)
4. Examined 33/37 non-European laws (as at Dec.
2011) against these 10 criteria
5. Result: Average 7/10 ‘European’ factors found
6. Now 48 laws (not 33) but no significant change
7. Conclusion: The current ‘global standard’ is to a
significant extent the European standard
10 ‘European’ standards
EU Directive (1995) & CoE 108+Add. Protocol (2001)
‘Minimality’ in collection (relative to purposes);
General ‘fair and lawful processing’ requirement;
Some ‘prior checking’ by DPA required;
‘Deletion’: Destruction or anonymisation after use;
Sensitive data additional protections;
Limits on automated decision-making;
‘Opt-out’ of direct marketing uses required.
8. Has a separate independent DPA; (enforcement)
9. Allows remedies via the courts; (enforcement)
10. ‘Border control’ data exports restrictions.
An ‘adequate’ law = one implementing most of these
Invitation to accede to CoE Convention 108 requires similar
(B) Standards for enforcement
• No accepted international standards
– EU Article 29 Working Party (WP29) Opinion on elements of
adequacy is often cited
– Proposed EU Regulation may set new standards
– Revised OECD Guidelines adds some
• Numerous enforcement mechanisms are possible
• Few laws include all such enforcement mechanisms,
it is their combination in an effective system that
counts …
• Necessary to go back to 1st principles …
Purposes: What should
enforcement achieve?
1. Deterrence
– inhibits future breaches which are not specific/identified
2. Prevention
– Intervention in current/anticipated specific breaches
– Occurs before breach complete and damage suffered
3. Guaranteeing assertions of rights
– Where individuals have to act to assert a right
– Eg some correction or deletion rights
4. Remedies for individuals
– Restorative or compensatory remedies
– Occurs after breach, damage already suffered
5. Punishment (?)
Is data protection enforcement ever for punishment?
Fines etc against a unique defendant can still deter others
Types of enforcement measures
Enforcement measures can be characterised as:
1.Whether there is an independent DPA
2.Varieties of complaint investigations
3.Investigative powers and procedures
4.Orders and remedies available from DPA / Ministry
5.Publication of enforcement details (statistics and cases)
7.Rights of court action to enforce Principles (+ of appeal)
8.Data breach notification requirements
9.Systemic (non-complaint) preventative/deterrent measures
The model of ‘responsive regulation’:
What is needed for effective enforcement?
Elements of‘Responsive regulation’
(Braithwaite, Parker et al)
Enforcement pyramid in a licensing
system (Braithwaite 1993)
1. Effective regulation requires multiple
types of sanctions of escalating
2. It is an enforcement pyramid:
sanctions at the top get used far less
than the cheaper bottom layers
3. All forms of sanctions must be actually
used when necessary
4. Use of each level of sanction must be
visible to those regulated, consumers
and the representatives of both
5. The higher levels are incentives for
the lower levels to be made to work
High peaks create more pressure down (Anon, NZ origin)
A complaint-driven enforcement
pyramid for data protection
A systemic (non-complaint)
enforcement pyramid for data
(C) Data export restrictions –
Must ask 6 Question for each jurisdiction
1. Does the DP law of the controller’s jurisdiction
assert extra-territorial operation?
Assertion of control over persons/objects outside
DP laws are in default not extra-territorial
But nothing illegal in international law about assertions
2. Under what conditions are transfers (data
exports) to a foreign jurisdiction allowed?
Contracts required?; Notice to data subject required?;
Notice to DPA required?
3. Are there special rules for controller-to-processor
Terminology in every country is different, so are the
Issues for each jurisdiction (2)
4. Can the data subject enforce the
controller/processor contract against
Does a privity of contract doctrine prevent this?
5. Is the controller liable for breaches by the
foreign processor? (vicarious liability)
6. Does the processor jurisdiction’s DP law
exempt outsourced processing (in full or
North-East Asia – the leaders
• Most countries
have recent new or
revised data
privacy laws
• With new laws in
China, North-East
Asia is the most
data-privacyintensive region
outside Europe
Order of consideration
1. South Korea
2. China
3. Hong Kong SAR
4. Taiwan
Not covered
1. Japan
2. Macau SAR
3. Mongolia
South Korea
• OECD and APEC member; APPA member
• New comprehensive Personal Information Protection Act (PIPA)
– In force from 10/11; only enforced from 4/12
– Adds many new features to existing strong foundation
• Previous legislation (largely replaced but not entirely)
– Private sector – ’Data Protection Act’ 2000 (in a broader Act)
• Administered by Korean Internet & Security Agency (KISA)
• Scope limited to businesses utilising telecoms services
• Active enforcement by Korean Personal Information Dispute Mediation
Committees (PIDMCs): compensation & documented cases
– Public sector - Public Agency Data Protection Act
• Administered by Ministry of Public Administration and Safety (MOPAS);
• Scope covers all public agencies; includes basic principles, but few
limits on excessive collection by governments (defect in OECD)
• Minimal enforcement: no independence; no publication of cases
– Some other specific Acts (eg credit reporting) still over-ride DPAct
South Korea Key new features of 2011 PIPA
One Act now comprehensive of public and private sectors (cf Japan)
Now covers whole private sector - ‘Personal information processor’
Independent Personal Information Protection Commission (PIPC)
1st national DPA in a civil law Asian country
Privacy Compliance Officers required for most businesses/agencies
Collective meditation for disputes with widespread small damage
+ representative actions for injunctions
Mandatory data breach notification to affected individuals
Also to authorities where significant (cf Taiwan)
Mandatory PIAs for potentially dangerous public sector systems
Explicit (opt-in) consent required for marketing using own databases
Act and Enforcement Decree in English (trans. Prof. Park, Whon-il)
South Korea – Additional principles
2011 Act includes all basic OECD principles, plus these additions:
1. Onus of proof of almost all requirements is on the processor
2. Privacy Policy necessary, and overrides any individual agreements
where this favours the consumer (A 30)
3. Minimal collection of personal data necessary for purpose (A 16(1)
Desirability of ‘anonymity, if possible’ of processing (A 3(7))
No denial of services because of refusal to provide unnecessary
information (A 16(2))
Sensitive data cannot be processed without consent (A 23)
Alternatives to identification by the Residence Registration Number
must be provided (A 24) [RRN use is separately being prohibited]
Strict limits on operation of visual surveillance devices (A 25)
Notification required if personal data collected from 3rd Ps (A 20)
Consent required to disclose to 3rd Ps, who must be identified (A 17)
limited exceptions (A 18) not including ‘compatible uses’
South Korea – Additional principles (2)
10. Data exports require consent (A 17(3)) - but notice is weak
11. Notice of sub-processing is required (A26), and must be identified
10. OR public Privacy Policy (PP) can give notice of sub-processing
11. sub-processors are deemed employees (A 26(6)) (vicarious liability)
12. Deletion (not de-ID) of personal data required after use (A 21)
13. Suspension of processing can be required by data subject (A 37)
14. Privacy Officer must be appointed, with detailed duties (A 31)
10. Draft Guidelines suggest wherever more than 50 employees
15. Data breach notification always mandatory to data subjects (A34)
10. Also to MOPAS and other authorities if ‘large scale’
16. Offences to improperly deal with, disclose or receive personal data
17. Detailed security measures are prescribed by Presidential Decree,
both locally and for data exports
These 17 points show how far Korea goes beyond the OECD ‘basics’
South Korea - Strong consent
• Unusual in both where consent is required (most
diclosures and change of use, and data exports) and
in requirements for consent to be legitimate.
• Notifications required before consent is obtained (A
15(2) or 18(3)) must separate 3 matters:
– each matter requiring consent must be stated separately, and
each consent obtained separately (no ‘bundling’) (A 22(1))
– information collected requiring consent must be segregated
from informaton not requiring consent (A 22(2))
– if consent is to use information ‘to promote goods or services
or solicit purchase therefor’ then data subjects must eplicitly
consent to this (ie opt-in to marketing uses) (A 22(3))
• This is reinforced by the ‘no disadvantage’ rule
Are these the strongest consent requirements known?
South Korea – Enforcement
The most complex version of the ‘North Asian civil law model’
Complex 5-way administrative structure under new Act:
Japan, Taiwan and China have Ministry-based sectoral enforcement
Korea has added both (I) an independent complaints body and (ii) a DPA
If successful, the Korean model is likely to influence others
Personal Information Protection Commission (PIPC)
Korea Internet & Security Agency (KISA) (includes Personal Data
Protection Center (PDPC))
Personal Information Dispute Mediation Committees (PPDMC/Pico)
Ministry of Public Administration and Security (MOPAS)
Korea Communications Commission (KCC): regulates ISPs and ICSPs
This structure may be changing after the 2012 election
Complexity in who is representing Korea in international fora
PIPC would like to take functions currently(?) exercised by KISA
Influence of MOPAS is still everywhere
South Korea – Enforcement
1. Personal Information Protection Commission (PIPC)
15 member independent Commission within Presidential Office
PIPC’s website <> is out-of-date in English
President appointed independent Chairman (Park, Tae-Jong)
‘Executive Bureau’ within MOPAS, headed by Director-General
‘Standing Commissioner’ is a ‘government official of political affairs’
who ‘directs the Executive Bureau under the Chairman’s orders’
• Roles of setting policy, issuing opinions and reports (A 8)
• Organisations can seek something like an ‘advisory opinion’ on the law
• No clear role in the Act in resolution of individual complaints
• BUT PIPC claims a role re public sector ‘to rectify violations and misuse
of personal information’ (seeA 8(1)(v) and A 18(2)(v))
• PIPC has an ‘Investigation Division’
• PIPC decided complaint against Google Terms of Service
South Korea – Enforcement (2)
2. Ministry of Public Administration and Security (MOPAS)
– Issues ‘Data Protection Basic Plan’ in consultation with PIPC
– Issues ‘Standard Guidelines’, which Ministries can modify for sectors
– Accreditation to Data Protection Commissioner’s conference refused in
2011, because not independent of government
3. Personal Information Dispute Mediation Committees (PIDMC)
Up to 20 persons appointed, with independence provided by Act (A40)
Hear complaints in sub-committees, depending on expertise required
Handles about 90% of privacy disputes (10% in Courts)
‘Mediates’, deciding breach and recommending remedy; if both parties
agree, settlement is binding; otherwise, matter has to go to Court
4. Personal Data Protection Centre (PDPC) within KISA
Receives and investigates complaints, and mediates minor complaints
Assists complainants to prepare complaints to go to PIDMC
KISA still represents Korea at APPA meetings, but PIPC also
Presidential Decree must appoint PDPC to this role (A 40(8))
South Korea – Enforcement (3)
PIDMC’s mediation record under the old Act
– PIDMC must suggest mediation within 60 days of petition filing
– Of 22 reported cases in 2003-04, PIDMC awarded compensation (from
$100-$10K) in 17 cases (English translations are on WorldLII)
– Examples: disclosure of telephone records to estranged husband ($10K);
surgeon posting photos of clients’ plastic surgery ($4K)
– Usually individual vs business disputes; b/w individuals goes to Court
Additional scope for PIDMC mediation under the new Act
– now has powers to mediate public sector complaints (s43()3)
– now has powers for collective dispute mediation (A 49)
– PIDMC has been confirmed as mediation agency by Presidential Decree
Korea has established a unique open, independent and effective system
of dispute resolution over 10 years
South Korea – Enforcement (4)
• Data subjects may sue for damages for breach (A 39)
– Onus of proof of no intent/ negligence is on data user
– Many actions before Courts, including class actions: Held that
massive data leak did not automatically result in damages for mental
distress (2011)
– Little information available in English on court cases
• Collective dispute mediation by PIDMC (A 49)
– Where multiple data subjects are affected, any parties can request
PIDMC to undertake collective dispute mediation
– Presidential Decree sets out procedural details Mediation continues
even if some complainants go to Court
• Class actions (Part 7 ‘Data protection collective suit’)
– If processor rejects collective mediation, various types of NGOs
(defined in Act) are entitel to file a class action (‘collective suit’)
– Suit is filed in the District Court of the defendant’s place of business,
or main office of foreign business’s representative (A 52)
South Korea – 2013
• 2013 Bill (3538) for serious data protection breaches
– Fines up to KRW 500M (US $500,000)
– MOPAS could demand dismissal of senior executives
• 2013 PIPA Amendment re ID numbers
– No ID numbers can now be collected, online or offline
– Existing ID numbers must be deleted (2 yrs for offline)
– Increase to US $500,00 fines (online or offline
• Self/Co-regulation is not significant
– No significant self-regulation under previous Act
– No provisions concerning enforceable codes in new Act
– MOPAS required to facilitate self-regulation
• KISA guidelines strengthened the previous law
– Eg RFID & Biometric privacy Guidelines, 2007
– Which enforcement body will do so in future?
South Korea – Data exports
1. No explicit extra-territoriality provisions
Normal rules of private international law apply
2. Consent and notice required when providing to a
‘3rd P overseas’ (A 17(3)) (Not border control)
(i) consent of the data subject (must be express);
(ii) notice in advance to data subject of identity of recipient,
data to be transferred, purpose;
No specific requirement to give notice of destination
(country), or state of privacy laws at destination
No vicarious liability for conduct of 3rd P recipient.
South Korea – Data exports (2)
3. Special controller/processor rules (A 26)
A 26 applies if controller ‘consigns processing … to a 3rd party’
Prior consent is not required; Notice or PP disclosure is required
Notice must include identity of processor (but not country location)
BUT Korean government authorities have previously required all
data exports, including for outsourcing, to be with consent
Some argue new Act might be interpreted differently (Lee & Ko,
4. No privity of contract problem, so data subjects
can enforce
— If exporter contracts with overseas 3rd party for benefit of data subject,
data subject can enforce against 3rd P (Civil Code A 539)
5. Controller has vicarious liability (as employer) for
Applies to compensation for processing contra to Act (A 26(6))
6. No outsourcing exemption
Processor is also liable for all data protection requirements
Map of China in the ‘Warring States’ period
China – Regulation time line
2006/7: Draft Personal Information Protection Act, from Institute of
Law; private & public sectors; included DPA; EU-influenced
2. Some Provinces have enacted data privacy codes, for consumers
3. Piecemeal laws on money laundering, medical records, insurance,
consumer protection and credit reporting
4. 2009-10 Major reforms: Criminal Law and Tort Liability Law
5. 2011 MIIT (Min. of Industry & Info. Tech.) ‘Internet Information
Services Regulations’, in force 3/12
6. 2012 NPC Standing Committee ‘Decision’ (a law) on Internet
Information Protection, in force 12/12
7. 2013 MIIT Standardization Administration ‘Guidelines’ on Personal
Information Protection in ‘computer information systems’
8. 2013 MIIT ‘User Data Protection’ Regulations’
Result: No national law yet, but consistency emerging 2011-13
Considerable consistency in principles; private sector only
Ministry-based enforcement, with no sign of a DPA
China: Internet Information Services
Regulations 2011
This is still the single most important regulation
•Adopted by MIIT (Min. of Industry & Info. Tech.) 12/11
•Scope: Applies only to ‘IISPs’, with a broad meaning
– Anyone providing information to Internet users
– Does not include the public sector
• ‘User’s personal information’ is any PI, but some cls
only apply to ‘information uploaded by a user’
•‘Telecommunications authorities’ at all levels can
enforce, but some aspects may go to the Ministry
– Administrative orders to change practices, fines, and adverse
publicity can result (at discretion of authorities)
– No explicit civil damages, but could arise under Tort Liability
China: Internet Information Services
Regulations 2011 (2)
Content of the data privacy principles
Collection must be the minimum required for purpose
Express notice of purpose and use required at collection from
user (not from 3rd Ps)
Use of any PI must be limited to purpose of collection
No data quality requirements except not to modify
Very general data security obligations
Data breach notification (to telecoms. Authorities only)
required if ‘serious consequences’
disclosure limits might only apply to info uploaded by user
but MIIT requires user notification, on past occurrences
A data controller to receive complaints must be publicised
OMISSIONS: (1) Any user rights of access, correction etc;
(2) data export limitations; (3) Sensitive data
China: NPC Standing Committee
‘Decision’ on Internet info. 2012
• Highest level law yet enacted in China to deal
specifically with data protection
– Despite its name, it is legislation
– Ranks higher than a Ministry regulation (MIIT)
• Scope
– Cl 1 declares protection of personal ‘electronic and digital
information’ and prohibits its illegal use
– Other clauses only regulate IISPs
• Decision also includes ‘real name’ regulation
– ISPs etc must know real identities of users
– Does not abolish online pseudonyms
China: NPC Standing Committee
‘Decision’ on Internet info. 2012 (2)
What does Decision add to the MIIT regulation?
1.Adds an opt-out from direct marketing
2.Adds a right to require ‘take downs’ by IISPs
3.Explicit right to file criminal complaints
4.Explicit right to seek civil liability (Tort Law?)
5.Omits many key principles (eg access)
Leaves ambiguous whether ‘finality’ applies to PI
collected from 3rd parties
Nor a codification, but must be added to the
MIIT regulation – cumulative effect is significant
China – MIIT Personal Information
Protection Guidelines 2013
• Only ‘Guidelines’, but could an Internet business
safely ignore MIIT ‘advice’?
– May well indicate standards to be followed under other laws
(eg Tort Liability Law)
• Scope
– Applies to all private sector ‘computer information systems’,
not only IISPs
– ‘personal info.’ has a conventional definition
– ‘sensitive personal information’ is defined (for first time) and
made industry-specific
– Adds a controller (‘administrator’) / processor (‘receiver’)
distinction (for first time)
• Unofficial translation is at <>
China – MIIT Personal Information
Protection Guidelines 2013 (2)
What do the Guidelines (although ‘advisory’) add to the
Regulation and Decision?
1.The 8 ‘Basic Principles’ are China’s most coherent set
(but omit user rights)
2.But 4 phase ‘life cycle’ procedures add much more:
Distinguishes where express consent and opt-out allowed
Detailed notifications, including of outsourced processing
Minimal and non-deceptive collection required
Sensitive data protections for minors etc
Rights of access and correction (for first time)
Data export restrictions requiring express consent or
government permission (for first time)
Deletion requirements, on expiry of purpose, or request
China - MIIT ‘User Data Protection’
Regulations, 2013
– Telecommunications and Internet Personal User
Data Protection Regulations 2013
– Cover both IISPs and telecommunications
business operators (TBOs)
• What does this add to the previous list?
– Potentially broader definition of ‘personal user
data’ not requiring capacity to identify
– Requirement to publish a privacy policy
– Cannot collect data ‘without user permission’
– Collection must cease with cessation of account
– (Possibly strict) liability for 3rd party processors
China - MIIT ‘User Data Protection’
Regulations, 2013 (2)
• New aspects of administration and
– Additional data breach notification requirements
– Annual self-inspection of security measures
– Details of inspections by ‘telecomms management
organs’ (TMOs)
– Violations and fines will be published on the ‘Social
Credit Register’ (‘name & shame’)
– Fines and penalties for TMOs and employees that
fail to enforce the law
• A template emerging for all the private sector?
China - Criminal Law
• 7th Amendment to the Criminal Law of the PRC (2009), A 253
– Criminal penalties for institution or employee selling, otherwise illegally
disposing, or offering to sell personal information
– Covers employees of government, hospitals, schools, and telecomm,
financial, or transportation companies
– Penalties also apply to those illegally obtaining data
– Sentence up to 3 years plus monetary penalties
• Enforcement
– First prosecution reported (Jan 2010): Zhuhai man’s illegally purchased log
of telephone calls by high government officials, then sold to others who used
it logs to fraudulently impersonate officials. Purchaser sentenced to 18
months, others prosecuted for fraud.
– Recent prosecutions [U32] are mainly under the Criminal Law
– Significant jail sentences have resulted
• Reinforced by cl 1 of 2012 NPC Standing Committee ‘Decision’
China – Tort law
Constitutional right to privacy cannot found civil cases (Supreme People’s Court)
Under General Principles of Civil Law (pre-2009)
– Privacy issues treated as defamation cases, following Judicial Interpretation
(SPC) holding privacy to be subsidary to the right of reputation - some
– Example: Website operator held liable for defamation, for website about the
husband of a woman who committed suicide, resulting in him being
harassed. Apology and compensation of about $1,000. (Appeal decision in
‘human flesh search engine’ case)
Tort Liability Law 2009 (Enacted 26/12/09, in force from 1/7/2010)
– A ‘right to privacy’ (undefined) is included in the list of ‘civil rights and
interests’, the breach of which leads to civil liability
– Employers are vicariously responsible; ISPs are liable for torts committed
using their networks, unless they take sufficient steps after notice (A 36)
– There are some recent minor cases under this law
Civil (administrative) actions against government
– now recognised by SPC Provisions (2011) for misuse of confidential
China – Draft data protection Act (2006)
• Draft Personal Information Protection Act (2006)
– 2006 draft by Prof Zhou HANHUA, Director of the Institute of Law,
Chinese Academy of Social Sciences, + team of experts.
– Depending on implementing regulations, could have been more like
an EU law than an OECD/APEC implementation
– Considerable consultation between EU and Chinese bodies
– Went to the State Council for consultation, but no further
• No evidence it is proceeding at present (last mentioned 2009)
• Why different from 2011-13 MIIT / NPC developments?
– Covered (1) public sector and (2) whole of private sector
– No data protection authority, but a more coherent set of remedies
• Why still significant?
Indicates type of law supported by part of PRC elite opinion
Best point of comparison for any new comprehensive law
Details are therefore included on following PPTs
See my detailed analysis at
China - Draft data protection Act 2006 (2)
‘General Provisions’/Principles (Ch 1)
Protection of rights (access and correction)
Balance of interests
Information quality (incl collection and use limits)
Information security
Professional duties (like ‘accountability’)
Remedy (incl admin remedies and compensation)
+ ‘Scope of’ and ‘Exceptions to’ applicability
+ ‘Cross border transfer’ (A48)
No automatic restriction - ‘may restrict’
Grounds for restriction include that recipient country/area ‘cannot give
sufficient legal protection’
China - Draft data protection Act 2006 (3)
• Application to government authorities
– Very broad exceptions to use restrictions
• Application to ‘other data processors’
Applies to all private sector organisations
Registration required before collection begins
Collection only for ‘clear and specific purposes’;
Secondary uses strictly limited
• Administration (Ch 4)
– widely distributed among all agencies ‘above county level’; no
‘Privacy Commissioner’
– General regulations to be made at State Council level
China- Draft data protection Act 2006 (4)
• Safeguards and remedies (Ch 4 & 5)
– Administrative review always available, with right of
appeal to Peoples’ Court
– Alternative judicial remedy at any time in People’s
– All data processors ‘should bear liability for
compensation in accordance with law’
– Administrative liabilities and criminal liabilities (Ch
Hong Kong SAR
• HK SAR part of PRC; APEC & APPA member
• Basic Law provides constitutional protection
– Used to find telecommunications surveillance unlawful
• Personal Data Protection Ordinance 1996
– Combination of EU, OECD and UK influences: first
comprehensive data protection law in Asia
– Privacy Commissioner for Personal Data (PCPD): first ‘European’
model of a DPA in Asia
• Amendment Ordinance 2012
– passed by LegCo 27/6/12; in force since 1 April 2013
– first significant change in 15 years; strengthens Act
– Administration’s Bill makes far less change than Privacy
Commissioner proposed, but he welcomes it
Hong Kong SAR – Principles
• HK Ordinance covers all basic principles
• Some additional principles:
data matching;
direct marketing opt-out;
public registers
Also no exemption for ‘publicly available information’
• s31 data export limitations not in force
– Only section not in force; applies ‘outside Hong Kong’
– Privacy Commissioner is obtaining a consultant’s report on
how the s31 ‘white list’ could operate; expected Dec 2013
– Business could be advised to operate as if s33 was in force
Hong Kong SAR – Data exports (1)
1. Extra-territorial application remains unclear
– AAB decision in Yahoo! Case did not clarify
2. No explicit export controls (s33 is not in force)
– No need to inform data subject of overseas transfer
– Commissioner’s Model Contract (1997) is non-statutory
– s33 only provision of Ordinance not in force
• s33 includes ‘White List’; but Commissioner is preparing one
• s33 includes exemptions based on exporters ‘belief’ concerning
overseas law
3. No special rules for controller/processor transfers
– New 2012 controller (‘data user’)/processor distinction
• Only requires controller to require data deletion after use (s2(3))
– If only ‘hold, process or use’ data on behalf of others, then
not a data user (s2(12))
– Relationship of agency was always recognised (s65(2))
– Note: scope of what ‘processing’ includes (s2) is not yet settled
Hong Kong SAR – Data exports (2)
4. Privity of contract now prevents data subject enforcing
contracts against processors, but might not soon
– Data subject cannot now take action against foreign cloud
– BUT Contracts (Rights of Third Parties) Bill 2013 (see Consultation
Paper) expected to be in effect by 2014; requires express terms
benefiting 3rd P
– Commissioner’s Model Contract (1997) implies (but is not express)
that it is for the benefit of the data subject
5. Controller is liable for [some] acts of foreign processor
– Acts done by an agent (processor) within its authority are
considered to be the acts of the principal (controller) (s65(2))
– No liability for acts of processor outside its authority
– No distinction whether the agent is overseas or in HK
6. May be an ‘outsourcing exemption’ in HK
– If a cloud provider fits s2(12) it is not a ‘data user’ and need not
– S65(2) does not impose any liability on the processor (agent)
Hong Kong SAR –
Existing enforcement (1)
• Attempted enforcement, but a defective Ordinance
– Commissioner does investigate and use powers frequently
Commissioner finds breaches, but unless they are continuing/likely
to be repeated, cannot issue enforcement order, or prosecute for
failure to observe
– Increasing prosecutions and fines, but for minor matters (for
Ricacorp and CITIC prosecutions see U27)
– For 2012 statistics etc see PLBIR 124:27
– No explicit power to mediate complaints, practice uncertain
– Damages only available via Court (s66) but never yet used
• Massive data spills and data sales scandals since 2007
– Data spill of complaints against Police by 20K people; Hospital
operators data spill; Octopus card operator, and 5 banks each sold
consumer’s data
– But Commissioner is powerless to punish or compensate
Hong Kong – Existing enforcement (2)
Commissioner’s new uses of existing Ordinance powers
• Reporting complaint respondent’s identity (ie use ‘name and
shame’) where Ordinance breached
– See Octopus and CITIC case s48(2) reports (U27)
– For recent s48(2) reports, see PLBIR 124:28
– AEGON Direct Marketing example PLBIR 124:30
• Found media intrusions are collection by unfair means
– Sudden Weekly breach findings now on appeal to AAB (U29)
• Proposes to require ‘data user returns’ (DURs) from agencies
and corporate sectors which pose most risk
– Proposed initially from public sector, banking, telecomms, and
insurance industries, and organisations with large customer
databases of (eg loyalty schemes)
– Data required will include overseas transfer practices
– Amended Ordinance allows him to require verification
– Would be first (limited) ‘registration’ system in Asia-Pacific
HK Amendment Ordinance 2012 Offences
Sale of personal data (no matter how collected) is subject to
notice + opt-out; otherwise, criminal offence
Direct marketing for data user’s own purposes (or providing to
others for DM) is subject to notice + opt-out
Disclosure of PD obtained from a data user, without consent,
now an offence
Commissioner can now direct a data user to remedy a breach,
and specify how
Blanket objections to sale of personal data possible
Over-rides current requirement of consent (DPP 3)
Failure to do so is now an offence
Repeating the same breaches also now an offence
Still no data breach notification requirement
Government agencies have agreed to immediately report
Private sector failures to do so may result in s48(2) reports
HK Amendment Ordinance (2) Compensation
1. Compensation proceedings moved to District Court
Standard costs order is ‘no order as to costs’
2. Commissioner can prescribe forms to assist
complainant to ask Qs of respondents
Replies admissible and must not mislead
3. Commissioner can assist complainants with advice,
legal representation and even the negotiation of
Commissioner’s costs are a charge against any
4. No applications made since 1 April 2013 have yet
been accepted
• APEC (as Chinese Taipei); not ASEAN or OECD
• Current protections
– Explicit Civil Code protection (s195(1))
– Evolving constitutional protections (significant cases)
• Computer Processed Personal Data Protection Act
1995 (CPPDPA) – was in force until October 2012
Scope limited: public sector + 8 industry sectors
No single oversight body, left to sectoral Ministries
Little enforcement [U32]
One of the less successful ‘North Asian civil law’ Acts
Taiwan - New Act (Overview)
New Personal Data Protection Act (PDPA)
• Enacted 05/10, in force in October 2012
– Rules (by Min. Justice) have been finalised by Executive Yuan
– A 6 (sensitive info.) and A 54 (notification) to be held back until
amended (Bill to do so is before Executive Yuan)
• Comprehensive of all sectors
• No DPA - Still Ministry-based enforcement
– Did not work with previous Act; but Ministry of Justice will now
coordinate, and this is expected to work better
• Stronger Principles: Notice; sensitive data; narrow
mandatory data breach notification
• Much stronger enforcement: Representative actions
Result: Raises Taiwan closer to international standards
Taiwan - Principles
• New Act covers all basic principles; Additions:
• Restrictive grounds for using sensitive data
• Notice required for collection from 3rd parties (before use) as
well as from data subjects
• Opt-out required for direct marketing uses
• Cessation of processing where purpose of use complete
• Mandatory data breach notification (A 12)
– Notice to affected persons (not to Ministry); Rules define method
– Only where a breach of the Act is involved (weakness)
• Weaknesses in Principles
– Over-broad exceptions for secondary use, access
– Security principle is ill-defined, with no stated standard
• Conclusion: Modest strengthening, far short of Korea
Taiwan - Enforcement (1)
• Individual rights to damages for breaches
– Strict liability on public agencies (A 28); procedure is under
State Compensation Act
– Private sector has onus to show no wilful or negligent acts (A
29); procedure is under Civil Code
• Class actions are by defined representative NGOs
– Allowed once they have 20 claimants
– Mass claims are capped at US6.7M damages
• No transparency requirements
– No annual reports, reporting of complaints, fines etc
• Offences and administrative penalties extensive
– Enforced by Ministries responsible for each sector
Taiwan - Enforcement (2)
• Ministry enforcement of current Act
– Enforcement actions are almost entirely lacking
– No agencies saw this as a core role
– New Act identifies MOJ as responsible for coordinating enforcement
• Enforcement of current Act in the Courts (since 1995)
– 3 actions for damages successful (from 40)
• Largest award A$2,700 (insurance Co. disclosure)
– 100 criminal prosecutions, 60% convictions, usually as a lesser
• Enforcement by Financial Supervisory Commission (FSC)
– Privacy enforcement actions against banks, insurers and insurance
brokers, based on its own regulations, with fines up to A$130,00
– Only lesser fines are possible when it proceeds under the DP Act
Taiwan – Data exports
No specific extra-territoriality provisions with one exception
– Applies to ‘collection, processing or use’ outside Taiwan of
data of Taiwanese nationals (A 51)
– Does this only apply to companies otherwise subject to the
2. Data exports: Default position is ‘no limitations’
– Restrictions at option of relevant Ministry (A 21)
– One ground: receiving country lacks adequate protections
– Until prohibited, no restriction on cloud processing
3. Special controller/processor provisions
– Anyone retained to process personal data is ‘one and the
same as the retaining agency’ (A 4)
– Controller must exercise careful monitoring over processor
(Enforcement Rules, A 8) – failure to do so will be a
Taiwan – Data exports (2)
4. Data subject can enforce controller/processor
contracts against processor if expressed for benefit
– Assumed so, as a civil law jurisdiction (no privity bar)
5. Controller is vicariously liable for processor’s acts (A
– Controller is responsible for all exercise of rights by data
subject (Enforcement Rules, A 8)
6. No outsourcing exemption
– Data imported into Taiwan is subject to its Act
ASEAN - New growth area
ASEAN & privacy commitments
Association of South East Asian Nations (ASEAN) has 11 members
– 7 also in APEC: Singapore, Malaysia, Philippines, Vietnam, Brunei,
Indonesia, Thailand (4 are not: Cambodia, Laos, Myanmar, Timor-Leste)
ASEAN Human Rights Declaration (Dec 2012)
– First human rights instrument many ASEAN countries have entered
– Similar terms to International Covenant on Civil and Political Rights (ICCPR)
– A21: ‘Every person has the right to be free from arbitrary interference with
his or her privacy, family, home or correspondence including personal data’
Committed to establish ASEAN Economic Community by 2015
– Harmonised e-commerce framework includes in its targets adoption of best
practice on data protection (no commitment to legislate)
– Did adopt harmonised e-commerce laws in 8 countries in 5 years
• ASEAN may become a significant driver of privacy law developments, but:
– Only private-sector-wide law yet fully implemented is in Singapore
– Minority of fully democratic members means privacy laws governing the
public sector are unlikely (except Philippines, Indonesia and Thailand)
ASEAN: Order of consideration
Malaysia: Bill (with DPA) enacted 2010, not yet in force,
Thailand: Bill (with DPA) since 2009, before Cabinet
Indonesia: new Regulation under IT law; Draft Bill?
Philippines: Bill (with DPA) passed 2012; not effectively in
Not covered in presentation:
5. Singapore: Bill (with DPA) enacted 2012, in force
6. Vietnam: e-commerce & consumer laws, in force
7. Other countries: Brunei and Lao may be developing Bills
• Malaysia legislated in 2010, but not yet in force
Personal Data Protection Act covers private sector only
Only data in ‘commercial transactions’ (broadly defined)
Principles are EU-flavoured, with weaknesses
‘Whitelist’ approach to data exports, with over-broad exceptions
Commissioner lacks independence for international accreditation
No effective enforcement by DPA, only prosecutions for offences
Result: A weak model for other ASEAN nations
• Current position on bringing into force
– New Personal Data Protection Department established 2012
– Regulations and guidelines drafting ‘90% complete’
– No decision whether a Commissioner will be appointed, but July
2013 rumour of imminent appointment [U55]
– Minister announced intention to bring in force 16 August 2013 for all
new data collection, + existing data required to comply in 3 months
Malaysia – Privacy principles
• Requires consent to processing of data
– Processing (collection, use and disclosure) must be directly related
to a lawful activity of user and not excessive; Many exceptions
(s6(2), s39, s40, s45)
– Allows withdrawal of consent to processing (s38, s42)
• Other non-OECD principles include written notice (s7), retention
limitations (s10), opt-out from direct marketing
• Weaknesses of principles in the Bill
– vague security principle;
– notice of intention to disclose can circumvent limitations;
– broad and discretionary exemptions
Overall, principles are EU-influenced, somewhat weak
Malaysia – Data exports (1)
1. Extra-territoriality – Some limited operation
– No application to any processing outside Malaysia
– Exception if data is to be re-imported into Malaysia (s3(2)): Indirect
protection for Malaysians whose data is processed in overseas
– Otherwise, Act applies to anyone who is ‘established in Malaysia’ or
uses equipment in Malaysia for processing data (except transit) (s2)
2. Data exports - ‘Border control’ with numerous exceptions
– ‘White list’ - exports prohibited unless Minister (on advice of
Commissioner) determines a place provides either (a) a law
substantially similar ‘or that serves the same purpose’ or (b)
provides at least equivalent protection (s129)
– usual exceptions (as in Directive A26)
– + Exception (3)(f): reasonable precautions + due diligence to ensure
overseas processing would not breach the Act (if in Malaysia)
Malaysia – Data exports (2)
3. Special controller/ processor rules
‘data processor’ processes solely on behalf of someone else; ‘data
user’ is anyone else doing, controlling or authorising processing (s4)
Only a ‘data user’ is liable for breaches of Data Protection Principles
4. Data subject cannot enforce controller/processor contract
against processor
privity of contract restrictions on 3rd P benefit contracts apply
5. If s129(3)(f) due diligence applies, then no liability on controller
irrespective of breaches by processor
no vicarious liability, weakest protection
6. [If processing is in Malaysia] Outsourcing exemption?
The Malaysian processor will not be a ‘data user’, so no application
Any use of equipment in Malaysia for processing attracts operation of
Act (s2(3)(b)) – Foreign controller may be (in theory) subject to Act
Malaysia – DPA
Personal Data Protection Commissioner
– Not appointed after nearly 2 years, possibly may not be [U36]
– Can the Act function with no Commissioner, only prosecutions?
Fails all tests of independence (but only covers private sector)
– Can be sacked at will by Minister (s54)
– Minister determines remuneration (s57)
– Minister can give Commissioner ‘directions of a general character’ consistent
with Act (s59)
Functions (s48), include:
– To investigate complaints and issue enforcement notices
– To advise the Minister on data protection policy
– To advise which other countries provide substantially similar protection to
– Minister may require registration of specific classes of data users (as may
HK Commissioner)
Malaysia – Enforcement
Any breach of a Principle is an offence (s5(2)), prosecuted by decision
of the Public Prosecutor, before Supreme Court
– Unusual to have offences as the principal form of enforcement
– Other offences for 3rd parties collecting, or disclosing without consent, data
held by a data user (s130)
If Commissioner finds contravention of Act is continuing or likely to
be repeated, can issue enforcement notice (s108)
Offence for data user to fail to comply
No remedies where breaches are unlikely to recur
Same defects as Hong Kong and pre-2011 UK
Rights of appeal by either party to Appeal Tribunal (Pt VII)
Commissioner has no power to award damages or role of conciliating
No individual rights to seek compensation or proceed in court
Enforcement is likely to deliver minimal benefits to consumers,
because neither individuals nor the Commissioner can take
effective action – weakest enforcement in Asia (Japan excepted)
• APEC and ASEAN member, not OECD
• Current protections
– Constitutional protection since 2007 of ‘a person's family
rights, dignity, reputation, and the right of privacy’
– Official Information Act, 1997
• Only covers State agencies (unusual in APEC)
• Administered by 32 person Official Information Commission
(OIC) and the Office of the OIC
• Limits personal data collection and retention; limits disclosure;
requires security; provides access and correction rights (most
elements of information privacy)
• Statistics to 2005 show 880 appeals (to OIC or Information
Disclosure Tribunal) from 1300 complaints against government
at all levels
– Some industry sectoral requirements (eg telecomms)
Thailand – Principles (2012 Bill)
• Personal Data Protection Bill 2012
– Bill forwarded by Council of State to Cabinet in 2009, but did not
– New Shinawatra government (2011) did not include it in its
legislative program, but it was apparently still the basis for drafting of
the 2012 Bill
– August 2012: Cabinet approved Bill going to Coordinating
Committee of Parliament, which is to forward it to Parliament
• Principles (only covers private sector; not so in 2009 draft)
– All basic principles are included
– General principle of no processing (‘collected, used or disclosed’)
without consent, and right to revoke consent
– Strict limits on collection by surveillance/ observation
– Broad sensitive information restrictions, but must be prescribed in
– Deletion/de-identification required after use complete
Thailand – Data exports
• Data exports
– ‘Border control’ approach: exports limited to countries with ‘laws
[no] less stringent’, plus usual exceptions
– Will this appear in the final Bill?
Thailand – Enforcement
Not certain that all these details are in the 2012 Bill
• Committee on Data Protection to oversee Act
– 14 members, majority of officials: criticism within Thailand for
insufficient independence
– Director of Office of the Official Information Commission is member
and provides secretariat (s7) which deals with data users and the
public (s15)
– Board advises PM on policy, making of regulations, criteria for
marks or standards etc
– Board sets Codes of Ethics for data controllers
• Personal Data Inspection Board/Committees to handle disputes
– Board may appoint many Committees to mediate disputes
– If mediation fails, Committees can make orders including remedial
actions and injunctions (monetary remedies may be via Courts)
– Administrative fines and criminal penalties possible
– Vicarious liability of directors etc unless they prove no knowledge
• Information and Electronic Transactions Law 2008
– Highest form of Indonesian legislation
– A26 requires consent for use of any person’s personal data
‘by use of electronic media’
– ‘Elucidation’ implies rights of access and correction
– A26(2) Courts can award compensation for breaches (No
cases yet)
• Regulation on the Operation of Electronic Systems
and Transactions (2012) A15 expands A26 of Law
2nd highest form of Indonesian legislation
Scope may apply to both private and public sectors
A15(1) amounts to a concise data privacy code [U57]
A15(2) adds a data breach notification requirement
Indonesia - Enforcement
• Breaches of A15 can result in
administrative sanctions (fines)
• A26 of 2008 law provded right to sue for
compensation (under Civil Code)
Indonesia – Comprehensive law?
• Other Ministries may now be working on
comprehensive laws
• Draft Personal Data Bill 2007
Task of Minister of Administrative Reform since 2007
Also has task of creating a National ID Card
Draft existed (2008) but never submitted to Parliament
Proposed Principles influenced by OECD, EU and APEC
Covers basic principles plus data retention limits
Role and independence of Privacy Commissioner not settled
• APEC and ASEAN Member, not OECD
• Very limited rights until 2012
– Some constitutional protections in theory
– Right of ‘Habeas data’ (constitutional right of access and correction)
adopted by Supreme Court (2008) - No known uses as yet
– Electronic Commerce Act (2000) s3(e) general principles – not used
• Data Privacy Act 2012 now enacted, but not effective
– Previous House and Senate Bills ‘reconciled’ by bicameral
committee mid-June, then enacted by both houses before they rose
– Resulting reconciled Bill was largely similar to previous House Bill
– Aquino signed on 15 August 2012, so became law 30 August
– BUT National Privacy Commission (NPC) is not yet appointed
– NPC must make Implementing Rules & Regulations IIRRs) within 90
days of appointment
– ‘Existing industries [etc] affected’ are given 1 year transition from
date of IRR (s42)
Philippines – Principles
• Covers both public and private sectors, all data
• Collection limited to ‘not excessive’ data (not ‘minimal’)
• Subsequent use/disclosure requires consent
(express/implied) or a broad exception requiring balancing
of necessary interests of controller/ 3rd P against
constitutional rights of data subject (ie weak protection)
• Processing of sensitive data generally prohibited, and very
broadly defined - much stricter than elsewhere
• Data breach notifications to both Commission & individuals
• Deletion or blocking of data required after use completed
All OECD basic principles covered; Strong influence of
EU Directive throughout - except data exports
Philippines – Enforcement
National Privacy Commission (NPC)
– Within the Office of the President; Commissioner + 2 Deputies
– Oversight and coordination role in both sectors; advice, codes etc
Civil actions, orders and compensation
NPC has strong powers to investigate complaints
Can ‘adjudicate’ and ‘award indemnity’ (compensatory damages)
Can ban processing, temporarily or permanently
Specific power to publicise the sanctions it has used
Actions for damages (‘restitution’) under Civil Code possible, but only as a
consequence of a criminal breach
Criminal penalties
– NPC can recommend prosecutions
– Many criminal penalties for breaches of principles, including unauthorised
Privacy Codes
– NPC can approve or reject Codes, but consequences are uncertain
Potentially one of the strongest ranges of enforcement measures
Philippines – Data exports (1)
1. Some extra-territorial application (s5)
– Covers acts done outside Phil concerning (a) Phil citizen or resident; or
(b)/(c) many different links with Phil
– Scope includes all controllers and processors using equipment located
in Phil. or maintaining office etc in Phil. (s4)
No express data export limitations (s9A ‘Accountability’
– Makes controller ‘responsible’ for international transfers, ‘subject
to cross-border arrangements and cooperation’;
– Also ‘accountable for complying with the … Act’ and for ‘using
contractual or other reasonable means to provide a comparable
level of protection while the information are being processed by
a3rd party’
Special controller / processor rules (s12)
– Controller is responsible for complying with the Act;
– Processor is also required to comply with the Act
Philippines – Data exports (2)
4. Data subject can enforce any controller/processor
contract if there is one stated to be for his/her benefit
5. Vicarious liability of controller for breaches by
processor is unclear (s12)
6. [Cloud processing in Philippines] Outsourcing
exemption explicitly provided
– excludes all personal information originally collected from
residents of foreign jurisdictions in accordance with their
laws, being processed in Phil. (s4(f))
– Intended to exempt all outsourced processing
– May fail to exempt call centres operated from the Philippines
India in 1857 – ‘The Great Rebellion105
India - Prior to 2011
• India’s pre-2011 piecemeal privacy protections still operate
– For details see on my home page 'The Illusion of Personal Data
Protection in Indian Law’ (2011) 1 (1): 47-69 International Data
Privacy Law
• Indian Constitution implies privacy right
– A 21 protection of ‘personal liberty’ is the basis
– Mainly used to limit search and surveillance
– Naz Foundation Case (2009) extends previous case by holding
unconstitutional legislation criminalising homosexuality, based on
– Supreme Court could, but has not,
• expanded this right to ‘informational self-determination’
• Forced the government to legislate, as it did with the Right to
• Right to Information Acts
– Right of access to own file in all public sectors
– Supreme Court ordered Parliament to legislate
India – pre-2011 (2)
Credit Information (Companies) Regulation Act 2005
– Establishes extensive credit surveillance system
– Has basic privacy principles, and more (in theory)
– No Reserve Bank enforcement, law ignored by industry and government
Consumer Disputes Redressal Commissions
– Established under Consumer Protection Law 1986
– Allows complaints about unfair/deficient practices/services
– National Commission used complaint about mass disclosure of subscriber
information to force Telemarketing legislation (Nivedita Sharma Case)
Unique ID number system (‘Aadhaar’)
Allocation of 1.2BN ID numbers by 2015 planned; over 600M issued
Is overshadowing developments in data protection
Unique Identification Authority of India (UIDAI) Bill before Lok Sabha
Report of Lok Sabha Finance committee Dec 2011 very critical
For details see on my home page ‘India’s National ID System: Danger
Grows in a Privacy Vacuum’, Computer Law & Security Report, 2010
– Only one of many extensive government surveillance systems
India – Self-regulation
• Data Security Council of India (DSCI)
– Established by NASSCOM (industry association for
information processing) 2007
– DSCI’s Framework for Data Protection 2009 aims to reassure
overseas data sources that Indian outsourcing providers
observe proper security, integrity etc procedures
– DSCI’s dispute resolution mechanism does NOT deal with
complaints by data subjects, only by overseas data sources
– DSCI may provide indirect data protection benefits, but is not
data protection self regulation, as it ignores data subjects
• NASSCOM operates register of IT sector employees
– it only has 25% coverage of industry workers as yet for its
‘security checks’ of employees
India - The U-turns of 2011
• Twice sought an ‘adequacy assessment’ from EU
– 2009/10 and 2012/13: No announced results
– To protect Indian outsourcing (BPO) from Europe
• April 2011: Rules made under s43A of the IT Act 2000
to add a whole data privacy code
– Possibly ultra vires (the Rules are not about ‘security
practices’) or even unconstitutional (nature of Tribunal)
– But it is prudent to assume validity until challenged
• August 2011: ‘Press Note’ attempts to change Rules
– It says Rules 5 and 6 (most Principles) do not apply to data
processed in India on behalf of overseas data controllers
– All four propositions in the Press Note are arguably incorrect
– The prudent course is to follow the Rules, until Court clarifies
India - Principles in 2011 Rules,
applied to an Indian data subject
NOTE: My interpretation has changed – Summary at [U64] is preferable to
older articles at [46] and [50] (some errors based on draft Rules)
•Application of Rules to data collected from a consumer in India
1.All basic OECD principles + retention limits are provided
Collection of person data requires written consent of the ‘provider’.
Compliance requires a Privacy Policy
2.BUT ‘sensitive personal data’ is defined much more narrowly than
‘personal data’, and half the Rules only apply to ‘sensitive’ data
3.ALSO some rules only apply to benefit the ‘provider’ of the data; so will
not apply to data collected from third parties in India; but rules will apply
when the ‘provider’ is also the data subject
4.Uncertain whether consumers can claim compensation under s43A
5.Uncertain whether the Rules are intra vires s43A
Conclusion: Very questionable whether the Rules provide any or most
normal data protection principles for transactions within India
India - Principles in 2011 Rules,
applied to foreign outsourcing
Application of Rules to data collected from foreign controller
1.The foreign consumer (data subject) is not the provider, so the
rules that only apply to providers will not apply to them
Indian processor must only comply with non-disclosure, security
and deletion rules
2.The result is much the same irrespective of whether the ‘Press
Note’ has legal effect (my view is that it does not)
3.Does this stop the Indian Rules from being ‘adequate’?
Could argue that the other protections are provided under EU law
Uncertain: This would be a new form of adequacy, ‘for Europeans only’
4.Many other potential defects in relation to outsourcing:
Narrow definition of ‘sensitive personal data’
Uncertain application of s43A to benefit consumers
Result: s43A and Rules are so confusing, result is difficult to predict
Additional complication concerning
call centres in India
Where the ‘provider’ to a call centre / ‘help desk’ opera is the overseas
data subject, the exemptions favouring foreign controllers will not apply
It is necessary (and OK) for the foreign client (ie outsourcer) to collect
consents in advance from data subjects, or for the Indian company to
collect verbal consents, in order to comply with the Rules
but they may have to tell their customers why (Rule 5(3))
– The complex and uncertain operation of the Rules cannot be
assisting India’s competition with the Philippines in attracting
outsourced processing
India – Data exports (1)
1. Extra-territorial reach?
– Whole Rules do not have extra-territorial reach; s75(2) applies only
if a contravention ‘involves a computer [or] network located in India’
– BUT Rule 6(4) requires foreign 3rd P receiving data from Indian
company ‘shall not disclose it further’, even in the that country
2. Data export limitations (Rule 7)
– ‘Border control’ approach: overseas recipient must ‘ensure the same
level of data protection’ as the Rules require;
– Transfer must also be pursuant to a contract with the provider, or
with the consent of the data subject
3. No special rules for controller/processors transfers
– BUT for ‘same level of protection’, processor need only observe use
limitation, security and data retention Rules
India – Data exports (2)
4. Controller/processor contracts cannot protect
Indian data subject under Indian law
– Indian contract law generally requires privity of contract; will
not allow ‘third party beneficiaries’ to enforce
5. Indian controller is not liable for breaches by
foreign processor
India - Enforcement of Rules
• Enforcement of s43A Rules is via special system
Adjudicating Officers (AO) at first instance
Appeal to Cyber Appellate Tribunal (CAT)
But how do AO or CAT investigate complaints?
No DPA in IT Act
• AO or CAT can award compensation (unlimited)
– But damage must result from intentional or negligent act
– No other remedies available
– No examples yet of compensation under s43A
• Result?: Untested and imperfect, but plausible
India - A comprehensive privacy law?
• ‘Group of Experts’ (Chair A P Shah) reported Oct 2012 to
Planning Commission, recommending elements of a draft Bill
• In 2011, two versions of a Bill drafted by a high-level InterDepartmental Committee were leaked
• No Bill has yet been endorsed by the Government
• E.g. Key elements of leaked draft Privacy Bill (April 2011)
3 person Data Protection Authority of India (DPAI)
Covers public sectors as well as private sector
Creates tort of interference with privacy + data privacy
Very strong EU-influenced Principles, well beyond OECD
Data exports: border control – ‘adequate level of protection’
Creates Register of all Data Controllers!
Strong enforcement powers via DPAI and CAT
BUT limits its protection to Indian citizens (?)
• The ‘Group of Experts’ recommendations improved on this
India - TOC of draft Privacy Bill 2011
There is also a later version from September 2011
India – Uncertainty in 2013
• EU ‘adequacy’ remains unresolved
– EU has obtained another expert report
– India attempting to use free trade negotiations to
obtain ‘data secure status’
– Indian civil society groups lobby EU to deny
adequacy etc until a data privacy law is passed
• Dept of Personnel & Training (DoPT) has
carriage of Privacy Bill originating from 2011
– Revised draft has gone to the Union Law Ministry,
after which it will go to Cabinet
– Have the Shah Committee proposal had effect?
The rest of South Asia/SAARC
• Nepal – has a public sector data protection law
within its Right to Information Act 2007
• Bangladesh, Pakistan, Sri Lanka, Nepal etc
– No private sector data privacy initiatives
– Development of digital ID cards, as in India
– Often influenced by Indian developments
• No SAARC initiatives
– ‘South Asian Area of Regional Cooperation’
– Unlike ASEAN, no interest shown in data privacy as yet
• As with India, outsourcing may become a factor
International agreements and
data export restrictions
affecting Asia
APEC Privacy Framework
- Failure or promise?
• APEC (Asia-Pacific Economic Cooperation) grouping of of 21
economies (Chile to Singapore) has 1/2 world trade and GDP
• A regional agreement was logical:
– To create a minimum privacy standard
– To help ensure free flow of personal data
Developed by APEC ECSG Privacy Sub-group (2003-05)
– Business orgs included, consumer NGOs excluded
APEC Ministers announce Framework (2004), finalised it 2005
Question: After 8 years, what has the Framework achieved?
– In influencing more countries to protect privacy?
• Need to compare with the effect of European standards
– In developing effective means of regional personal data flows?
• Need to consider APEC’s CBPR proposals
APEC Framework's 9 Privacy Principles
Preventing Harm
Collection limitation
Uses of personal information
Integrity of Personal Information
Security Safeguards
Access and Correction
Accountability (includes due diligence in transfers)
Generally ‘OECD Lite’, a slightly weaker version of the
OECD Guidelines, plus principles I and V which add nothing
of value, and IX which is a dangerous substitute for any real
controls on data exports
APEC implementation standards
• Framework Part IV(A): ‘Domestic Implementation’
– non-prescriptive in the extreme
• Any form of regulation is OK
– Legislation not required or even recommended
– Choice of remedies supported
• No central enforcement body required
– But CBPR scheme assume one or more ‘government enforcement
• No accountability for implementation of the APEC Framework
– Few Individual Action Plans yet online 8 years after agreed
Weaker than any other international privacy instrument
– Part IV exhorts APEC members to implement the Framework
without requiring or proposing any particular means of doing so, or
any means of assessing whether they have done so
APEC’s nascent CBPR (1)
APEC finalised its CBPR system in Sept 2011, endorsed by leaders
Joint Oversight Panel (JoP) established Moscow 2012
– At least 4 APEC ‘economies’ meeting criteria to participate in CBPR must
agree to form JoP: US (chair), Taiwan, Mexico and Canada (reserve) have
agreed. (How do they meet the criteria?)
– JoP then assesses Accountability Agent (AA) applications
– Waters: Sceptical that countries with privacy laws, DPAs and cross-border
legislative requirements will see any advantage in participating (Membership
bears this out)
Stewart: explains steps companies must then take
– Company does self-assessment against APEC standards
– Company assessed (and assisted) by an Accountability Agent (separate
APEC recognition process)
– If ‘APEC-compliant’, added to directory
– AAs and/or DPAs enforce compliance with APEC standards
– Companies get periodically re-assessed for compliance
APEC’s nascent CBPR (2)
• Waters: ‘business case … to seek certification under
the CBPR system remains elusive’
– Application process is onerous, involving ‘registration’
requirements Asia-Pacific laws avoid; costs are unknown
– Benefits in countries with privacy laws elusive
– Sceptical of possibility of ‘interoperability’ with EU CBPR or
Trustmark schemes, as JoP is unlikely to be competent to
assess (Stewart sees this as a step toward ‘global solutions’).
• APEC approval of TRUSTe as first AA (2013)
– Critics say breach of its own standards damages credibility
• IBM USA first company accredited by TRUSTe (2013)
APEC’s nascent CBPR (3)
• Factors favouring APEC CBPR
– Other countries will join (Mexico and Japan next)
– EU and APEC exploring CBPR/BCR interoperability
– USA is willing to fund any country willing to develop CBPR
• Factors against APEC CBPR
– It only assists with data imports from some APEC countries
– APEC countries with data export restrictions have to find
ways to reconcile APEC CBPR with their laws
– Business case for companies to invest in getting CBPR
accreditation is not clear. Will any but US companies do so?
– Low standard of APEC Framework, and credibility loss with
TRUSTe AA accreditation may damage prospects of EU (or
other) interoperability
Conclusion: Viability of APEC CBPR still unknown

Asia-Pacific data privacy: 2011, year of revolution?