BriefsSince Europe’s GDPR came into force more than two years ago, data privacy and protection have become priorities for regulators and businesses across the Asian region. Between 2019 and 2020, a flurry of data privacy laws was developed, with China, Singapore, Sri Lanka, Thailand, India, Japan and Hong Kong among those offering new guidelines and requirements. And still, more are expected, now bringing with them the prospect off larger fines than before.

 

Carolyn Bigg, head of privacy for Asia at DLA Piper, says the handing out of big fines will mark the next front in the war to protect data.

“So there’s there’s been certain places around Asia that have had new laws in the past few years, that maybe have provided for this high level of fine, but actually, in reality, there hasn’t been enforcement action, or they haven’t had the resources within the regulator to actually start enforcing them,” Bigg says.

Across the region, there are some laws that “look more like GDPR than others,” she notes. “Places like Thailand and the Philippines, they’re at too early a stage to really be near implementing these sorts of levels of fine. But we see more experienced regulators, like New Zealand and Singapore and Australia, with these levels of fines.”

Still, authorities are moving quite slowly when it comes to implementing the fines. While Singapore has pressed forward with new data privacy regulations, the “higher level of fines” will not come into force until 2022 “at the earliest,” Bigg says, adding that the reasoning behind this was somewhat unclear.

While the pandemic and the potential impact on businesses may make up part of the reason, she suggests that this may be by design.

“When the Singapore regulator first introduced the PDPA back in 2014, they were very good at taking a measured approach to education first and then over a period a time-shifted the focus from education to more active enforcement. I wonder if that’s what they’re doing now,” she muses.

A consistent market trend is the move to introduce mandatory breach notification laws. “So if you have a big data incident, it becomes mandatory to report this incident, and places like New Zealand, Singapore, China, and others have that,” Bigg says, adding these laws “are definitely coming”.

While the pandemic may be in part to blame, given wielding such large fines and harsh penalties around data privacy management is relatively new territory in Asia, regulators are likely operating from a place of caution.

“I think probably the pandemic is holding it up slightly, I do think it’s also the regulators finding their feet as well,” she says.

Generally, the prioritisation of data privacy has moved rather quickly in Asia, with pandemic placing something of a magnifying glass over the handling and managing of data by businesses.

Last year there was the initial question of “how do you deal with data related to the pandemic, whether that’s employee travel histories and whether it's remote working,” says Bigg. This subsequently evolved with the pandemic, which prompted uncharted territory around disclosing employee data, and whether business can ask employees about matters such as travel history, health data, close contact “and now vaccinations,” she says.

“That’s really required businesses to have a multidisciplinary focus on data, so its been everybody from operational [staff], to HR, compliance, and all the way up to the board as well,” she notes, adding this has been a localised effort, with every different country having different rules around this.

More broadly, as businesses increasingly work online, data privacy has sailed up the priorities list, demanding the attention of more senior staff.

“I have seen an increased focus up to board level on these issues. I think in Asia five years ago, you’d have had very few minutes of a board’s time spent discussing cyber and data,” says Bigg, adding, “Nowadays, my understanding is for most boards its a regular agenda item. We’ve had a lot of the industry regulators have really been pushing for this to become a board-level responsibility”.

 

To contact the editorial team, please email ALBEditor@thomsonreuters.com.

Related Articles

Features

As Asia Data Privacy Laws Get Teeth, Larger Fines Are Expected

by Elizabeth Beattie |

Since Europe’s GDPR came into force more than two years ago, data privacy and protection have become priorities for regulators and businesses across the Asian region. Between 2019 and 2020, a flurry of data privacy laws was developed, with China, Singapore, Sri Lanka, Thailand, India, Japan and Hong Kong among those offering new guidelines and requirements. And still, more are expected, now bringing with them the prospect off larger fines than before.

Features

Privacy First

by Elizabeth Beattie |

In May 2019, Thailand’s Personal Data Protection Act (PDPA) officially became law. Echoing General Data Protection Regulation (GDPR) somewhat, the PDPA regulates personal data collection, storage and dissemination. But while further regulatory developments are required to ensure the law can be fully implemented, businesses should be seeking out legal help to ensure they are compliant now — and not dragging their heels — say lawyers.