APAC 2023: Tech Themes - data at the core
In this series of four articles, we discuss the tech trends in Asia Pacific (APAC) in this Year of the Rabbit. We see how the global tech trends (see our earlier articles Tech Trends 2023; Tech Arbitration Trends 2023; and Crypto Litigation & Arbitration - Trends to Watch 2023) play out in this region with illustrations of substantive developments. For more in depth analysis, see our recently published second edition of A Guide to Technology Disputes in Asia Pacific here.
In the first of this series, we explore data themes in APAC. The remainder of the series will cover:
- AI
- Online services and content
- Crypto.
DATA AT THE CORE
More advanced cyberattacks and the need for incident management to keep up
As we depend more on technology and automation and the data required to support this becomes considerable, commoditised, and open to abuse, we will see an increase in cyber incidents and attacks. And such cyberattacks will become more sophisticated and targeted with, for example, deepfakes and natural language chat bots bringing phishing attacks to a new level. The management of cyber incidents will become increasingly difficult in APAC as:
- more laws and regulations come into effect (governing cybersecurity, resilience, and privacy, and which are often, sector-specific)
- existing laws and regulations are amended
- the trend of multiple regulators investigating cyber incidents continues.
Data transfer and control regulation becoming more intricate
In terms of data protection and privacy regimes in APAC, in 2022 (and into 2023) we saw, and will continue to see, laws coming into full force. We also saw data legal frameworks containing more particular requirements and imposing stronger sanctions in the case of contravention. This means that companies face increasingly complex data governance and risk management.
International transfer of data – global cooperation and local concerns
With globalisation, the need for ease of legal transfer of data between countries cannot be denied. With international cooperation driving the Global Cross-Border Privacy Rules Forum and progress of the EU-US Data Privacy Framework expected to be speedy, businesses should soon be able to make use of related transfer mechanisms.
Against this general trend, the Australian Government has conducted a consultation on data security and localisation proposals on the grounds of sovereignty and business need. China also has a variety of data localisation requirements (both general and sector specific) depending on the sensitivity of the data in question. (For more on the impact of data localisation on the digital economy and the need for global cooperation in cross-border data flow, see our Talking Tech article Data Flows in a Modern World – International Data Flows: outlining the importance of data flows and of the bans on data localisation. For more on the PRC data regime and localisation requirements, see PRC Data Security Law – A New Milestone in Data Legislation and PRC Passes Milestone Legislation for Personal Information Protection.)
Risk management
With the increasing activeness of data regulators, who are also strengthening their enforcement action; and with the increasing risk and cost of data litigation, data controls and governance will be the key in managing legal, operational, and reputational risks for businesses.
Whilst class actions are not yet available in some APAC jurisdictions such as Hong Kong, where they are available such as in Australia, those arising from data breaches are increasingly being investigated and filed.
Important areas of focus for regulators and courts this year are expected to be the processing of biometric data, automated decisions, and data monetisation and transfers. The use of data by big tech will continue to be scrutinised, on the agenda of both privacy and antitrust regulators.
Investor-State arbitration and data and tech
Investor-State arbitrations involving a technology-related investment are on the rise. Those brought under the auspices of the International Centre for Settlement of Investment Disputes (ICSID) now represent about 10% of ICSID's caseload.
Driven by policy concerns related to security and data privacy, government action might take the form of expropriation of IP or data for security reasons. Crypto or data regulation might also become too burdensome.
Recent examples of contentious government action in the tech sector include the banning of Huawei from participating in 5G networks in Europe and Australia, and the US communications regulator's call to ban TikTok. Companies may consider turning to investor-State dispute settlement to seek redress; by way of example, Huawei has filed an ICSID claim against Sweden over its 5G ban. This will be an interesting space to watch.
Changes in APAC data protection regimes
Australia
Australia's Attorney-General released the Privacy Act Review Report in February 2023, containing over 110 proposals to make Australia's privacy laws fit for purpose in the digital age and otherwise align them with global standards and arm individuals with more rights in relation to their personal information. Some key proposals include:
- requiring data breaches to be notified to relevant parties including the Australian Information Commissioner (AIC) within 72 hours instead of 30 days
- the introduction of standard contractual clauses for use when transferring personal information overseas
- introducing (or enhancing) individual rights including introducing rights to request erasure, to object and to have search results de-indexed, and individuals' statutory tortious rights and direct rights of action for serious invasion of or interference with privacy.
Draft legislation is anticipated mid this year (see our Talking Tech article Prioritising Privacy: Highlights from Australia's Privacy Act Review Report).
In response (at least in part) to several large-scale data breaches in 2022, Australia had earlier updated the Privacy Act through increasing sanctions, the powers of the AIC and the Act's extraterritorial reach in December 2022.
Maximum civil penalties payable for serious or repeated interference with privacy including failure to comply with the notifiable data breach (NDB) regime under the Privacy Act increased, for body corporates, to the greater of: (i) AU$50 million (about US$33.5 million) (ii) three times the value of the benefit obtained from the breach or (iii) 30% of the adjusted turnover of the body corporate in the relevant breach turnover period (a minimum of 12 months). (Previously, the maximum penalty was AU$2.2 million per contravention.) This brings the maximum penalties in line with those that may be imposed under the Australian Consumer Law.
The December amendments to the Privacy Act further widened the powers of the AIC as follows:
- it now has to power to issue infringement notices imposing civil penalties for non-compliance with requests for information and documents
- the AIC may direct a business to engage an independent and appropriately qualified adviser in order to facilitate the taking of steps to rectify a breach as required by the AIC
- the AIC may pre-emptively (without the occurrence of a breach) assess compliance with the NDB regime and request information and documents
- the AIC may make disclosure in the public interest including regarding ongoing investigations and in effect, "name and shame" businesses.
The amendments also make clear that extraterritorial application to foreign organisations no longer requires their having collected or held personal information in Australia at the time of or before their alleged breach, but only that they carried on business in Australia.
The stated rationale for so extending extraterritorial reach is to catch foreign entities collecting personal information of Australians from digital platforms with foreign servers. Multinational businesses with a presence in Australia should consider the implications, particularly given the increased sanctions and powers of the AIC.
Singapore
Key amendments to Singapore's Personal Data Protection Act (PDPA) came into effect in February 2021 including the introduction of a mandatory data breach notification requirement, and legitimate interest and business improvement exceptions to the requirement of consent, as well as the widening of circumstances in which consent may be deemed (contractual necessity and notification).
A further change came into effect more recently; on 1 October 2022, maximum financial penalties for breach of the PDPA (including for failure to notify data breaches) increased to the higher of:
- up to 10% of an organisation's annual turnover in Singapore (for organisations with annual turnover of over SG$10 million)
- SG$1 million (about US$740,000).
The amendments to the PDPA which have been passed also include the introduction of an electronic data portability right for individuals, albeit this has yet to come into effect.
In terms of private actions, recent case law clarified that individuals aggrieved by a contravention of the PDPA need not first make a complaint to the Personal Data Protection Commission (PDPC) before commencing a private action and equally, the two avenues for recourse are not mutually exclusive and may be pursued at the same time. Further, the loss or damage that may be claimed in a private action may include emotional distress suffered directly as a result of the contravention and which is not trivial.
The changes to the data protection regime in Singapore are in line with the trend in APAC to take into account technological advances and global developments in data protection legislation such as mandatory breach notification and data portability rights, which are welcome in facilitating international organisations' adoption of a more consistent approach for compliance.
Companies can also consider how they may benefit from the new exceptions to consent and broadening of deemed consent.
China
The Personal Information Protection Law (PIPL) and the Data Security Law (DSL) were introduced in 2021. These were high level laws with further guidance expected to be gradually released.
In terms of export of personal information, there are three possible avenues to do so under the PIPL, the appropriateness of which depends on the circumstances:
- security assessment by the Cyberspace Administration of China (CAC)
- certification by a prescribed specialised institution
- entry into a standard contract for cross-border transfer of personal information with the intended overseas recipient.
The CAC has published measures and guidelines for security assessment of outbound data transfers (covering the circumstances in which security assessment is required and how they should be carried out), the date for compliance being 1 March 2023.
In December 2022, updated specifications for certification of cross-border processing of personal information were released. The update newly provides that the applicant for certification must be a legal person and cannot be an entrusted party which is not able to set the purpose or means of processing, and makes the requirements for certification broadly in line with those for standard contracts. (This update was released less than six months after the original version and illustrates the rapid change of regulation in this space.)
Indeed, since then, the CAC issued measures on the standard contract for cross-border transfer of personal information, which will come into operation on 1 June 2023 and as with the security assessment route, a date for compliance has been set, namely, 1 December 2023. (For more, see our briefing China Finalises Standard Contract on Cross-Border Transfer of Personal Information). The Hong Kong PCPD issued a media statement summarising the same.
Under certain conditions (including those providing for the maximum quantity of personal information that may be involved), entry into a standard contract may be relied upon for cross-border transfer provided a personal information protection impact assessment is first carried out. Notably, there is a reminder that where security assessment is required, tactics must not be deployed to split the quantity of personal information involved to meet the requirements for standard contracts instead.
The PIPL is also expected to be supplemented by network data security management regulation, which has been issued in draft. It, among other things, clarifies that data breach incidents involving the personal data of more than 100,000 individuals or any important data must be notified to the CAC and other relevant regulators within eight hours.
Further, an important sectoral regulation under the DSL was proposed in December 2022 in the form of interim administrative measures for data security (and data export) covering data generated and collected by industry, and telecommunications service and radio operations. The data security measures required will depend on whether core or important data is involved. Catalogues of core and important data will be published by the Ministry of Industry and Information Technology (MIIT), as well as local MIIT offices. Processors themselves will also be required to identify their own core and important data and formulate their own catalogues to be filed with the MIIT.
Changes to the Cybersecurity Law (enacted in 2016 to regulate network operators and cybersecurity) have also been proposed to bring its penalties in line with those in the more recently enacted PIPL and DSL. The fine for a general breach has been increased to a maximum of RMB1 million and for a severe breach, to between RMB1 million and 50 million (or between about US$150,000 and US$7.5 million) or up to 5% of the network operator's annual turnover in the immediately preceding year. Individuals may be subject to a ban on taking managerial positions in China. The increased penalties apply to obligations related to, for example, real-name authentication; security certification for critical network equipment and special-purpose cybersecurity products, as well as cybersecurity certification; contingency plans for cybersecurity incidents; and assistance to law enforcement.
Hong Kong
The Privacy Commissioner for Personal Data (PCPD) has been expressing its concern over data security amidst the leap towards the fourth industrial revolution and digitalisation with new ways of holding and using data, the new normal of hybrid working and the 68 (voluntary) data breach notifications received from organisations in the first seven months of 2022. Guidance on data security measures for information and communications technology was thus issued in August 2022.
In terms of the long overdue update of the Personal Data (Privacy) Ordinance (PDPO), which legislation has not been amended since 2012, the PCPD put forward proposals in 2020 including:
- establishing a mandatory data breach notification mechanism (notification to the PCPD of data breaches involving a real risk of significant harm, albeit no time frame had been put forward)
- requiring formulation of a data retention policy
- introducing direct regulation of data processors (and not only data users, including imposing obligations in relation to data retention, security and breach)
- empowering the PCPD to directly impose administrative fines for contravention of the PDPO.
The most recent indication is that the PCPD will consult the relevant Legislative Council (or parliamentary) panel with a specific legislative proposal in the second quarter of 2023, which is then expected to pass quickly.
A recent enforcement action by the PCPD in November 2022, reminds businesses of requirements in sharing personal data between group businesses or companies after mergers and acquisitions.
A listed company providing one-stop medical and health management services owned a number of businesses under various brands, some of which used an integrated internal system including two businesses that had been acquired by the listed company. Two clients complained of the consolidation of their personal data (originally provided to the respective businesses before their acquisition) into the integrated system without their consent for the new purpose.
The PCPD agreed that there had not been the required consent. The PCPD issued an enforcement notice requiring the listed company to take remedial action including notifying clients and obtaining their consent for the sharing of personal data between group businesses and having written policies and training in place so that staff understand the permissible use of clients' data in the integrated system.
Japan
Changes to the Act on the Protection of Personal Information (APPI) came into effect in April 2022, including introducing new requirements for transfer of personal information from Japan to another country and a mandatory obligation to notify personal data breaches to the Personal Information Protection Commission (PPC) and affected individuals.
Regarding transfer of personal information from Japan, individual consent is now required, and the consent must be informed with relevant individuals apprised of the personal information protection laws or system of the importing country and the measures and safeguards that will be put in place to protect the personal information. This may be done in writing including electronically. Alternatively, the transferee must put in place safeguards in line with the APPI and this may be achieved by contractual arrangements. Such arrangements must be informed to individuals upon request.
Where transfer is to a third party, the transferor must continuously monitor and ensure the transferee complies with the safeguards in question. Notably, these obligations need not be complied with where the importing country is deemed to provide for the equivalent level of protection for personal information as Japan including the UK and EU.
In terms of mandatory breach notification, this is now required where the breach involves sensitive information, information the wrongful use of which may lead to economic loss, involves impropriety such as by way of a ransomware attack, or more than 1,000 individuals' personal information. A preliminary notification must be made promptly and a second final notification (going into the extent of the breach and damage, and cause of the incident) must be made within 30 to 60 days depending on the type of breach.
Conclusion
The common theme coming out of APAC is the modernisation and strengthening of their data protection regimes to deal with the issues arising from increasing digitalisation and the cross-border nature of commerce.
We have seen:
- the imposition (or impending imposition) of mandatory data breach notifications, given the rise in number and sophistication of cyberattacks
- individuals have been, or will be granted, further rights to control and protect their data such as the right to erasure and portability, in line with what is commonly available under other data protection regimes such as the GDPR, as well as the expansion or clarification of their private rights of action
- sanctions and powers of privacy regulators have increased or widened
- laws for the cross-border transfer of data are being considered or have been clarified, in some cases, taking a pragmatic approach and recognising the countries that provide for an equivalent level of protection such that relevant requirements are waived, in other cases, national security being the primary concern.
With such change, in 2023, many businesses will be reviewing their data architecture, policies, processes, supplier contracts and risk exposure to address data governance and transfer requirements in a proactive and integrated manner.
For further insight into the personal data protection regimes and cybersecurity in APAC, see sections 5 and 6 of our Guide to Technology Disputes in Asia Pacific. The Guide sets out some key issues arising from technology protection, regulation and disputes in Asia-Pacific. Each section features a summary of the key issues and provides guidance on how companies operating in each of the jurisdictions highlighted should best protect and enforce their IP in a digital environment, protect their data and data privacy and handle cybersecurity incidents, and deal with a range of technology regulation and disputes, such as in the areas of AML, sanctions, anti-trust, fintech, responsible tech and product / contractual liability.