In March 2022, Baker McKenzie’s Data Privacy & Security Team across offices presented the Asia Pacific edition of Deciphering Data, the Firm’s webinar series that aims to help companies and organizations decode complex developments in data privacy and cybersecurity. Our diverse team of cross-border experts offered their expertise and insight in this webinar series to help you understand the legal lay of the land and prepare for the future of privacy in Asia Pacific and beyond.

Session 1: Spotlight on Privacy Developments in Asia Pacific

The data privacy landscape in Asia Pacific has undergone major changes in recent years. The region has seen a wave of new privacy laws, regulations and amendments, which bring with them a new set of regulatory and legislative requirements. Our first session provided a roundup of the developments in the region, and how these new requirements are set to impact multinational businesses.

China

China’s Personal Information Protection Law (PIPL) came into effect on 1 November 2021. Together with the Data Security Law (DSL) which came into effect on 1 September 2021 and the Cybersecurity Law (CSL) which took effect on 1 June 2017, they form a three-pillar data protection and cybersecurity system in China. The PIPL is the first comprehensive personal data protection law in China and adopts certain concepts under the GDPR. It applies to personal information processing activities conducted within China, cross-border transfers of personal information outside of China and certain cross-border processing activities concerning data subjects in China. The DSL applies to all types of data and data processing activities carried out within the territory of China, with a focus on “important data” and state core data. The CSL has introduced the concept of “Critical Information Infrastructure” and sets out the general rules on cyber data and information security.

Vietnam

Companies should watch out for Vietnam’s four key pieces of upcoming legislation that touch on data protection and cybersecurity issues, namely the Draft Decree detailing the Law on Cybersecurity (“Draft Cybersecurity Decree“), the Draft Decree on Personal Data Protection (“Draft PDPD“), the Draft Decree on Penalties for Administrative Violations in Cybersecurity (“Draft PAVCD“), and the Draft Law on Consumer Protection (“Draft LPCR“).

The Draft Cybersecurity Decree was circulated to the Government Members for approval in May 2019 but the approval is yet to be granted (as of March 2022). The revised Draft PDPD (which has been kept confidential) is expected to be promulgated by May 2022, with further amendments to be applied by 2024. The public consultation on the Draft PAVCD ended last November but it seems that the Ministry of Public Security has not submitted the Draft PAVCD to the Government yet. The public consultation on the Draft LPCR closed in March 2022 and will require traders to comply with the regulations on personal information protection.

Hong Kong

The amended Personal Data (Privacy) Ordinance which criminalises “doxxing” took effect on 8 October 2021. “Doxxing” refers to gathering personal data of a specific targeted person and/or related persons (such as family members) through various means, e.g., public registers and discussion platforms, and disclosing such personal data on the Internet, social media or other open platforms (such as public places).

Australia

Australia is in the process of reforming the Privacy Act. There is also draft legislation for the creation of a binding online privacy code which would apply to social media services, data brokers, and certain large online platforms operating in Australia. Further, there are developments in Critical Infrastructure and Cyber Security Laws which seek to expand existing protections to more industries, with mandatory reporting requirements when the critical infrastructure is subject to a cyber-attack. The Online Safety Act came into effect in January 2022 and targets inappropriate material and cyberbullying, allowing the eSafety Commissioner to identify offending accounts in order to enforce the Act.

Access the session recording here.

Speakers: Jo-Fan Yu, Manh Hung Tran, Toby Patten, Zhenyu “Jay” Ruan and Dominic Edmondson

Session 2: Artificial Intelligence (AI) and Privacy

Global digital transformation has resulted in advancements in AI technology, alongside a keen cross-sector interest in utilizing it. However, this technology comes hand in hand with concerns around privacy, ethics, bias and discrimination. Our second session examined the implementation of certain AI’s in the region, potential regulatory developments in the Asia Pacific region in view of the proposals in the EU seeking to govern AI systems more stringently, and key privacy considerations when deploying AI solutions.

AI has become a regular sight in consumer technology — from automated text messaging to computer-controlled video game enemies and many applications that are embedded into our daily lives. However, a number of AI applications come with an increased data privacy risk which must be taken into account, such as the use of AI in an employment context, machine learning and facial recognition. Such applications necessitate the collation and use of a large amount of user data, prompting questions surrounding data privacy, data minimization, storage, legitimate purpose and data subject’s consent.

Developments in the regulation of AI

  • EU developments: The EU approach has thus far set the benchmark for regulation of AI technology, with Regulations expected in the latter half of 2022 poised to divide AI programs into categories based on their riskiness. High-risk AI, such as facial recognition and infrastructure-related AI will be subject to strict obligations, requiring risk assessments similar to the GDPR’s Data Protection Impact Assessment (DPIA). The Regulations also propose requirements related to transparency, traceability and human oversight. Obligations for lower-risk AI, such as chatbots, primarily relate to transparency and security.
  • Japan: There is currently limited regulation of AI in Japan. While the Ministry of Internal Affairs and Communications issued the Guidelines in 2018 warning those implementing AI to ensure privacy rights of users and data providers are not violated, these are quite high-level and do not address many of the issues raised by AI.
  • Australia: While Australia does not have specific privacy laws governing AI, existing privacy legislation applies broadly and impacts upon AI compliance requirements. Australia’s Privacy Act is technology-neutral, principle-based and largely limits the ways in which entities can use information for secondary purposes, requiring data controllers to disclose the purpose for which personal information is collected and to obtain consent for any further purposes. The Australian government is also examining AI regulation outside of the privacy-specific framework, issuing the AI Ethics Framework in 2019 which introduced the AI Ethics Principles. While these Principles are currently voluntary, a number of them touch on data privacy concerns when developing AI technology which mirrors the EU’s “Privacy by Design” approach. Enforcement relating to AI has focused primarily on biometrics and facial recognition, as  there were multiple enforcement actions on this front in 2021.  
  • Singapore: The Model AI Governance Framework, while not mandatory, highlights Singapore’s current approach to AI regulation. The Framework provides a baseline for industry and technology, focusing on the introduction of AI and including a compendium of use cases and a checklist for safe implementation. The approach is similar to other jurisdictions in that the Framework focuses on the principles of transparency, explicability and fairness.

Emerging privacy considerations when using AI

AI systems can be subject to a number of cybersecurity concerns — if the system is not secure, information can be extracted which can constitute a data breach and potential violation of data protection laws. The absence of specific legislation does not mean absence of repercussions, as existing privacy frameworks can apply to the data that powers the AI. Companies using AI should also be aware of where the data comes from, to ensure that the data enabling the AI to make decisions has been gathered lawfully and with the data subjects’ consent.

Access the session recording here

Speakers: Divina Ilas-Panganiban, Kensaku Takase, Simone Blackadder and Alex Toh

Session 3: Effective and Sustainable Privacy Compliance Programs

The fast-evolving global and regional data privacy landscape presents privacy counsels with the challenge of implementing and sustaining effective privacy compliance programs for their organisations. Our final session discussed the building of effective and sustainable privacy compliance frameworks, including the EU GDPR considerations.

The big picture – essential components of an effective and sustainable privacy compliance program

Cybersecurity and privacy compliance have become a major concern for companies in recent years. There are four key elements to consider to ensure that a company’s privacy compliance program is both effective and sustainable: knowledge, organisation, process & procedures and balance. Companies can only comply with what they know, and keeping a close watch on the data protection landscape is key to maintaining an effective privacy compliance program. Such programs also require an appropriate set of resources and structure that aligns with the business’ priorities and organisation. While the days of one-size-fits-all policies are over, maintaining a standard set of procedures across the board remains essential. With increased globalization, digitalization and growing complexity of products and services, compliance can be difficult when laws are not easily translated into points of action. Companies must be aware of the fast-evolving global and local data protection landscape and be able to respond as appropriate. While the GDPR remains a good starting point in designing privacy compliance programs, it is by no means the only barometer for compliance with local privacy regimes is becoming more nuanced, particularly around the Asia Pacific region. Commercial and operational considerations are also key factors to take into account in the design of a privacy compliance program, with the company’s objectives, stakeholders, structure and resources also playing a critical role in the program’s design.

Where and how to start

A key starting point is identifying a person who will be responsible for the program’s design and implementation, as well as ensuring cooperation across legal, technology, HR and commercial/marketing teams. Privacy should be built into the company’s leadership structure, and seamlessly incorporated into the day-to-day running of a business as well as its culture of compliance. Privacy programs and policies are not one-size-fits-all models — the company type and activities naturally influences the amount and type of data which the company processes, with varying compliance requirements arising. Data mapping exercises are key in identifying the types of data that companies collect and process, and therefore what they need to manage from a privacy perspective. Technology such as centralization, anonymization and organisational software should also be leveraged to improve the efficacy of a privacy compliance program.

Access the session recording here. Speakers: Yi Lin Seng (Mastercard), Florian Tannen, Paolo Sbuttoni and Sonia Ong

Author

Manh-Hung Tran is the practice group leader of the Intellectual Property (IP) and Technology Practice Groups of Vietnam offices. For years, he has been constantly ranked as a leading IP lawyer by numerous researchers such as Chambers Global and Chambers Asia. He regularly writes articles concerning pressing legal issues in both English and Vietnamese, and his works have been published regularly in various reputable publications. He has assisted the government in reviewing and revising the IP Law, the IP provisions under the country’s criminal code, the draft e-Transaction Law, and the first draft Personal Data Protection Decree, etc. While Hung's practices run the full gamut of IP work, he also specializes in the Telecommunications, Media, and Technology (TMT) practice, advising multinational corporations on data privacy, monetization, product reviews, AdTech, regulatory and user rights, cybersecurity, e-commerce, offshore social media, digital services, data breach and incidents, and other emerging technologies. He has been assisting international film studios and streaming clients with various film and TV series productions in Vietnam.

Author

Jay Ruan specializes in corporate and M&A and regulatory advisory matters in China. He has acted for clients across a broad range of industries, and has extensive experience in advising clients on strategic joint ventures and business alliances, corporate-commercial and technology transactions, TMT regulatory matters as well as financial service and insurance regulatory.

Author

Dominic is a senior associate in Baker McKenzie's Intellectual Property and Technology Practice Group in Hong Kong.

Author

Kensaku Takase is a partner in Baker McKenzie’s Tokyo office and is the Group Leader of the office's IP/IT/EC Practice Group. Mr. Takase is bilingual (Japanese and English) and focuses on intellectual property law, media law, and information technology law since 1999. He has assisted many companies in various industries with cross-border transactions in the trademark, copyright and design fields.

Author

Alex Toh is a senior associate in Baker McKenzie's Singapore office.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author

Paolo Sbuttoni is a partner in the Hong Kong office of Baker McKenzie and a member of the firm's IT & Communications Practice Group. He focuses on technology agreements and transactions, e-commerce, telecommunications regulatory matters, and data privacy. Mr. Sbuttoni has presented on a number of topics relevant to his field including cloud computing contracts, data privacy, and social media.

Author

Sonia is a partner in the Intellectual Property & Technology Practice Group of Wong & Partners. She returned to private practice after successful stints as general counsel of Hewlett-Packard Malaysia and Kimberly-Clark Malaysia, Philippines and Indonesia.

Author

Jo-Fan Yu is a partner and member of Baker McKenzie Information, Technology, Communications (IT/C) and Telecoms, Media, and Technology (TMT) groups in Taipei. Jo-Fan focuses her practice on ITC, media, telecom and dispute resolution.

Author

Toby Patten is a partner in Baker McKenzie's Technology and Healthcare teams in Melbourne. Toby has more than 20 years' experience in technology, healthcare, privacy and intellectual property commercial law. In addition to his legal qualifications Toby holds a Bachelor of Science (Hons), majoring in biochemistry.

Author

Simone Blackadder is a senior associate in the Media & Content team at Baker McKenzie, Sydney. She works primarily on litigious matters within the IT, communications, media and defamation fields. Simone assists on a variety of commercial, advisory and litigious matters for a range of clients in the IT, communications, media, pharmaceutical, high end and luxury retail industries, including in relation to privacy, media, contractual, intellectual property and advertising law.

Author

Divina Ilas-Panganiban is a partner in Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. Divina's practice focuses on the protection of trademarks, copyright, patents and other intellectual property rights. She also assists clients in licensing and IP commercialization transactions, including franchising arrangements. She has advised various clients on regulatory and compliance matters, and has extensive experience in IP litigation cases, domain name disputes, data privacy, data breach and cyber security matters. She is an accredited arbitrator of the Philippine Intellectual Property Office and often serves as resource speaker in local and international seminars on IP and IT laws.