Convergence of Laws and Frameworks for Cross-border Personal Data Transfers in Asia
Background
Data protection laws have become a common feature of the legal landscape in Asia. However, those laws differ significantly in different Asian jurisdictions. Some jurisdictions are in the process of adopting such laws, others have had bills pending for years, with uncertain outcomes, and some others are conducting or about to conduct significant law reforms. The growing interdependence of regional data protection frameworks also impacts policies of privacy and compliance processes in Asia.
This complex environment is a source of business concern, in a context where multi-jurisdictional compliance is hard to achieve, enforcement is taking off, penalties for non-compliance are increasing and data protection regulators are setting up regional and international networks to support joint enforcement initiatives.
The combination of patchy laws and a shifting regulatory environment also creates significant hurdles for regulatory cooperation, which public authorities may not address properly in the absence of an ad hoc, comprehensive structure of regional cooperation in data protection.
Since 2017, ABLI has been helping to fill such gaps by offering an apolitical, non-profit and trusted platform of regional cooperation in this complex and sensitive area of the law. It relies on a unique network of data protection experts in a selection of Asian jurisdictions and enjoys the support of data protection regulators and supra-national organisations of the region.
The project was first raised on 21 January 2016 by the Honourable the Chief Justice Sundaresh Menon in his Key Note Address at the Doing Business Across Asia: Legal Convergence in an Asian Century conference held in Singapore. His Honour stated:
The second project could be aimed at the convergence of data privacy laws. This is an area that is ripe for policy and legal review and reform in this age of the Internet and smart businesses. The number of national data privacy laws in the world has grown exponentially since the first such legislation was passed in Sweden in 1973.1 Data privacy laws are now a common feature of the legal landscape in many countries but, in Asia, studies suggest that they are neither “universal nor … close to uniform”.2 This has been attributed to our different legal traditions and also to our diverse rates of development, policies and cultures. This could be earmarked as a subject that would benefit greatly from applied study.
Key Features
A unique network of experts in Asia and beyond
Phase one of the project consisted in the set-up of a unique network of experts, including law practitioners, internal counsels, industry representatives, business associations and academics on the one hand, and a wide range of public stakeholders including APAC data protection regulators, supra-national organisations and government representatives on the other hand.
In July 2017, a team of 17 experts from 14 jurisdictions (Jurisdictional Reporters) were selected by ABLI to map the regulation of cross-border transfers of personal data in certain Asian jurisdictions. The experts comprise those from academia and practice.
The community of regulators in APAC later agreed to provide input in this unique piece of work.
Building an Asian narrative in data protection and personal data flows
Over the years, ABLI has contributed to advancing discussions on legal convergence in Asia and increasing the Asian presence in the global data protection landscape.
Thanks to its unique collaborative model, ABLI has gained recognition as the provider of reliable comparative legal information that is verified by regulators, law practitioners and industry representatives.
Such information is made freely available, together with recommendations to:
a) assist companies in their compliance efforts;
b) support governments and regulators in the development of consistent policies in cross-border data flows; and
c) offer reference for Asian jurisdictions that are putting or reviewing data protection laws and/or cross-border controls in place.
Pathways for convergence
The project focuses on the following priorities to promote convergence:
a) in-depth study of the differences and commonalities among Asian data protection systems and, where feasible, the drafting of recommendations and/or policy options;
b) provision, upon request, of information and/or expert advice to public stakeholders and organisations that seek to promote the compatibility of national data protection frameworks in Asia and beyond; and
c) participation in projects or events organised by third parties which have the capacity to enhance convergence and improve legal certainty in the area of data protection and cross-border data transfer regulations in Asia.
Key Milestones
Until mid-2020, the project mainly focused on the convergence of laws and regulations on personal data flows in Asia.
Regulation of Cross-Border Transfers of Personal Data in Asia (May 2018)
In May 2018, ABLI launched its second publication in ABLI’s Legal Convergence Series titled Regulation of Cross-Border Transfers of Personal Data in Asia (Data Compendium).
Regulation of Cross-Border Transfers of Personal Data in Asia (PDF)
May 2018
by Dr Clarisse Girot (editor)
The Data Compendium comprises 14 reports prepared by experts on the regulation of cross-border transfers of personal data in 14 Asian jurisdictions.
The first of its kind in Asia, the Data Compendium provides a holistic study of the regulation of data transfers in those jurisdictions, which goes beyond a mere study of data transfer provisions in Asian data protection laws to address the wider spectrum of issues that have an impact on the legal framework of cross-border data flows. It is designed for governments, data protection regulators, law practitioners and industry, in Asia and beyond, to understand the scope, operation and implementation of regulations applicable to data transfers and data localisation requirements in the region.
Translation of the Data Compendium
In December 2019, ABLI published of the Chinese translation of the Data Compendium. The translation was made possible with contribution of Peking University and a network of senior data protection officers in China.
Transferring Personal Data in Asia: A path to legal certainty and regional convergence (May 2020)
On 30 May 2020, ABLI published a Comparative Review and Table on the laws and regulations on cross-border data transfers in the same 14 jurisdictions. This unique piece of work aims to provide public stakeholders of the region that are currently drafting or reviewing their transfer frameworks with an overview and analysis of the transfer principles, legal grounds and mechanisms that operate in the laws of their neighbours on areas such as consent, contracts, BCR, certification, CBPR, privacy codes, adequacy, statutory exemptions and localisation. An update to the Comparative Review and Table was released in November 2020.
Transferring Personal Data in Asia: A path to legal certainty and regional convergence (PDF)
June 2020
by Dr Clarisse Girot (editor)
This work further analyses the main areas of differences, but also the potential of convergence, in many transfer provisions in APAC laws, with recommendations attached.
Like its previous publications, ABLI prepared the Comparative Review and Table with input from its network of jurisdiction experts, law practitioners and other industry experts familiar with Asian data protection developments. APAC regulators also provided comments and confirmed the information related to their national legal frameworks.
From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific (June 2022)
Following the announcement in August 2021 of the collaboration between ABLI and the Future of Privacy Forum (FPF), the two organisations have been working on a joint project titled From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific.
In APAC (like elsewhere), the limitations of “notice and consent” are increasingly under scrutiny. While notice and consent requirements have long been used to justify the collection and processing of personal data, this justification has increasingly been called into question. For example, the over-reliance on consent has led to the development of a “tick-the-box” approach to data protection for organisations and “consent fatigue” for individuals, which contradicts the original purpose of data protection laws.
The ABLI-FPF project aims to guide the development of data protection frameworks in APAC away from consent-centric, “tick-the-box” compliance requirements and towards responsible data practices and accountability for privacy when processing personal data. At the same time, the project recognises that effective policies need to balance the interests of individuals in protecting their personal data and organisations in using personal data, while also promoting the interests of broader society, such as developing a vibrant digital economy and preventing crimes and fraud.
The project covers the same 14 jurisdictions considered in ABLI’s earlier work in data protection.
In June 2022, ABLI and FPF began releasing reports for those 14 jurisdictions largely on a weekly basis. Those reports are available for free download (in the order of release time): China, South Korea, Hong Kong SAR, New Zealand, Australia, the Philippines, Indonesia, Malaysia, Vietnam, Thailand, India, Macau SAR, Singapore and Japan.
Those reports provide a detailed overview of relevant laws and regulations in the jurisdictions on:
- notice and consent requirements for processing personal data;
- status of alternative legal bases for processing personal data which permit such processing without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The ABLI-FPF project culminated in the release in November 2022 of Balancing Organizational Accountability and Privacy Self-management in Asia-Pacific, a comparative review paper built upon the 14 individual reports, which provides detailed recommendations to promote legal convergence around requirements for processing personal data in APAC.
Balancing Organizational Accountability and Privacy Self-management in Asia-Pacific (PDF)
November 2022
by Asian Business Law Institute and Future of Privacy Forum
Study on transfer risk assessment (October 2023 onwards)
Data embassy
From engagement with public and private stakeholders, ABLI has learnt that one recurring pain point when it comes to transferring data across borders stems from the hesitation on the part of transferor organisations to grant access to their data. Once the transferor transfers its data to the recipient, the data falls under the possession of the recipient, leaving the transferor with limited ability to act (or react) if public authorities of the recipient’s jurisdiction require access to that data. The transferor is also often unfamiliar with the legal regimes and institutions of the recipient’s jurisdiction. Its reluctance to “part with” its data is thus understandable.
Two solutions have been proffered to tackle this pain point. One solution concerns transfer risk assessment and mitigatory measures, another area of work that ABLI is progressing simultaneously. The other solution is the creation of data embassies, a special type of offshore data centres.
But what is a data embassy? What are the data embassy models in operation today? What features does a data embassy tend to have? Is the creation of a data embassy the ultimate response to concerns over offshore public authorities’ access to data? What more needs to be done so that the overall robustness of data embassies can be enhanced?
In January 2024, ABLI issued a Data Embassy Issues Paper in an attempt to address these queries and put forward further questions for thought in the hope of eliciting more discussions among businesses, policy practitioners and public officials who are studying the data embassy concept and contemplating its adoption.
Data Embassy Issues Paper (PDF)
January 2024
by Asian Business Law Institute and Singapore Academy of Law
A trusted partner
ABLI has gained recognition as a credible and trusted stakeholder by organisations as diverse as governments, business groups, supra-national institutions, data protection regulators, privacy professionals, academics, think tanks and non-profit organisations, across Asia and beyond. A selection of ABLI’s key involvements is provided below.
2023
- 24 October: ABLI presents its work at at an online session co-organized by the APEC Business Advisory Council (ABAC) and the Asia-Pacific Financial Forum (APFF). The session was held to present this year’s ABAC recommendations, among others, on the coordinated adoption of a toolbox of business-level mechanisms supporting secure and trusted sharing of data in the region. The measures will be for consideration by APEC Finance Ministers and other officials as they prepare for the final meetings in November in San Francisco.
2022
- 26 May: ABLI hosts virtual panel Balancing Consent and Other Legal Bases in Personal Data Protection Laws: Pathways to Convergence in Europe and Asia during the Asia-Europe Law and Business Symposium co-organised by the Singapore Academy of Law and the Embassy of France in Singapore.
- June: ABLI and FPF start releasing of reports under the project of From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific.
2021
- 11 January: ABLI’s Data Privacy and others projects cited by The Honourable the Chief Justice of Singapore Sundaresh Menon in his Opening of the 2021 Legal Year speech as among the initiatives to advance rule of law in both the domestic and international space.
- 15 January: ABLI’s “Transferring Personal Data in Asia: A Path to Legal Certainty and Regional Convergence” is a winner of the Future of Privacy Forum‘s 11th Privacy Papers for Policymakers Award.
- 22 January: the 1st ASEAN Digital Ministers’ Meeting approves the ASEAN Data Management Framework (DMF) and Model Contractual Clauses for Cross Border Data Flows (MCCs). Dr Clarisse Girot, then project lead, is a member of the Ad-Hoc Committee formed by IMDA/PDPC Singapore to review the MCCs.
- 10 February: Presentation of Transferring Personal Data in Asia: A Path to Legal Certainty and Regional Convergence at the Future of Privacy Forums’ Privacy Papers for Policymakers Award
- 27 May: Dr Clarisse Girot, then project lead, spoke at a breakout session titled Schrems II in a Nutshell with Mr Wojciech Wiewiorowski, European Data Protection Supervisor, at the 4th National Data Privacy Conference organised by the National Privacy Commission of the Philippines
- June: Upon invitation by the host, Personal Information Protection Commission of Korea, ABLI presents its current initiative at a closed session on the theme of global interoperability in data protection at the 55th Asia Pacific Privacy Authorities (APPA) Forum held online in Seoul, South Korea
- 25 August: ABLI announced collaboration with the Future of Privacy Forum to drive understanding of data privacy protection and practices
2020
- 5 January: Dr Clarisse Girot, then project lead, delivers keynote speech at the Greater Bay Area Data Interconnection and Secure Development Summit hosted by the China Free Trade Zone Infoport in Zhuhai, China
- 2 March: ABLI submits comments to the Joint Parliamentary Committee on the Data Protection Bill of India
- 11 April: ABLI is invited to take part in the OCED online workshop on “Addressing the Data Governance and Privacy Challenges in the Fight against COVID-19”, supported by the Global Privacy Assembly (GPA)
- May: Dr Clarisse Girot, then project lead, is invited to become a member of the Sedona Conference Working Group Series (WGS)
- 28 May: ABLI publishes Transferring Personal Data in Asia: A path to legal certainty and regional convergence
- 22 June: Article on ABLI’s Transferring Personal Data in Asia published in the Summer issue of Privacy Laws & Business International Report
- 3 August: Announcement of the selection of ABLI’s Data Privacy Project to be showcased at the 3rd edition of the Paris Peace Forum
- 27 August: Op-ed Cross-border data protection needs less formal, bottom-up approach by Dr Clarisse Girot, then project lead, published in the Business Times
- 22 September: Panel discussion on “Doing Digital Business Beyond the Beltway and Brussels’ at the American Bar Association Virtual Annual Conference
- 29 September: ABLI organises and chairs the session “Converging Data Protection Approaches” at TechLaw.Fest 2020
- 12 November: ABLI’s Data Privacy Project showcased as “one of the 100 solutions to bounce back from Covid-19” at the 3rd edition of the Paris Peace Forum
- 13-15 November: ABLI participates in Global Privacy Assembly (GPA) 2020
- 15 November: ABLI publishes an updated version of its Transferring Personal Data in Asia: A path to legal certainty and regional convergence
- December: Virtual Workshops on Data Flows in Philippines and Thailand organized by the World Economic Forum in the context of the “Digital ASEAN” program
- 9 December: ABLI contributes international perspectives at a workshop on “Best Practices in Personal Data Protection in the Digital Environment”, co-organised in Hanoi by the United Nations Development Programme, EU Delegation in Vietnam and the Ministry of Public Security of Vietnam
2019
- 30 January (Brussels, Belgium): “Converging Norms in Emerging Markets: The Trajectory of Data Protection Reform in Asia”, Computers, Privacy and Data Protection Conference (CPDP2019)
- 7 March 2019 (Hanoi, Vietnam): Workshop “Policy Issues to Support the Development of Vietnam’s Digital Economy’’ organised by Vietnam’s Ministry of Industry and Trade and the World Bank
- March 2019 (Hangzhou, China): keynote speech and session chair at the Luohan Academy’s Privacy and Data Governance conference with Professor Jean Tirole, Ms Wei Lu, Mr James Dempsey, and Hong Kong Privacy Commissioner Stephen Wong
- 29 March (Singapore): Presentation to French corporate heads and their in-house and external counsel at the French Embassy to Singapore
- 29-30 May (Tokyo, Japan): Panel discussion at the 51st Asia Pacific Privacy Authorities (APPA) Forum
- 3 June (Tokyo, Japan): Keynote address delivered at the G20 side event – International Seminar on Personal Data organised by the Personal Information Protection Commission of Japan
- 18 June (Hong Kong, China): Panel discussions at the 11th International Programme on Cross-border Data Transfers and Data Protection Laws at the Sedona Conference
- 27 June (Singapore): SIIA-Clingendael Dialogue “Enhancing EU-Singapore Connectivity” organised by Singapore Institute of International Affairs, Clingendael Institute and EU Delegation to Singapore
- 16 July (Singapore): Panel discussion “EU-Japan adequacy decisions: what next?” organised by IAPP Asia 2019
- 9 September (Singapore): Panel discussion “Future of Data” at India-Singapore Business and Innovation Summit – the Next Phase
- 18 September (Singapore): Introduction speech at the Annual International Association of Transportation Airlines (IATA) Legal Forum
- 7 October (Singapore): Panel discussion at Hinrich Foundation-NUS Executive Programme – Asia’s Digital Landscape and Data Privacy, Security and Cross Border Trade
- 21-24 October (Tirana, Albania): Attendance at the closed and public sessions and invitation for comments during the opening session at the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC), “Convergence and connectivity raising global data protection standards in the digital age”
- 6 November (Singapore): Panel discussion and delivery of concluding remarks at Conference “Reaping the Data Privacy Dividend: Protecting Personal Data as a Competitive Advantage” organised by the Personal Data Protection Commission and European Union Delegation (Singapore)
- 18 November (Paris, France): Presentation in OECD expert consultation on privacy enforcement and emerging technologies at the 1st Session of Data Governance and Privacy in the Digital Economy, co-organised by EPIC and the United Kingdom Information Commissioner’s Office (ICO) in the context of the review of implementation of the OECD Privacy Guidelines
- 2 December: publication of the Chinese translation of Regulation of Cross-Border Transfers of Personal Data in Asia
3-4 December (Cebu, Philippines): session chair at the 52nd Asia Pacific Privacy Authorities (APPA) Forum
2018
- 28 March (Jakarta, Indonesia): Panel discussion on personal data protection organised by K&K Advocates and the Ministry of Communication and Informatics (Kominfo)
- 29 March: Presentation of the Project at a meeting with the ASEAN Secretariat
- 24 May (New Delhi, India): Meetings with Justice BN Srikrishna, chair of the Working Committee on the Draft Data Protection Bill of India and the Ministry of Electronics and Information Technology (MeitY)
- 25 May (New Delhi, India): Session chair at the “Privacy in the Digital Age” conference organised by the European Commission and the Centre for Internet and Society (CIS)
- 5 June 2018 (Beijing, China): Speaker at the 2018 Annual Forum of the Research Alliance for Data Governance and Cyber Security, Peking University
- 25 July 2018 (Singapore): Chaired session “Pathways to Convergence in Asian Data Protection Law” at IAPP Asia Privacy Forum 2018
- 26 July 2018 (Singapore): Chaired the first session “Digital Economy and its Impact on the Law’ at the ABLI-UNCITRAL Emergence Conference
- September 2018: Dr Clarisse Girot, then project lead, co-authored the World Bank Group’s 2018 Digital Report on the Digital Economy in ASEAN (released in March 2019) aimed at supporting ASEAN governments’ policies on disruptive technology and the digital economy
- 26 September: “Regulation of Cross-Border Transfers of Personal Data in Asia” is referred to by the Supreme Court of India in its landmark judgment on the constitutionality of India’s Aadhaar system
- 26 October (Brussels, Belgium): Panel discussion at a side event on cross-border data flows organised by the Personal Information Protection Commission of Japan on the sidelines of the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC)
Jurisdictions
The project considers jurisdictions represented by ABLI’s Board of Governors, other APAC jurisdictions which have cross-border controls for personal data transfers and others Asian jurisdictions which are considering putting such controls in place.
They are Australia, China, Hong Kong SAR, India, Indonesia, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam.
Contributors
Consistent with ABLI’s Asia-centric focus, 88% of contributors are from ASEAN, East Asia and South Asia—with an additional 12% from Australia and New Zealand. Congruent with ABLI’s aim of providing practical guidance, 71% of contributors are practitioners, with an additional 18% from academia and another 12% from a not-for-profit research and policy organisation.
Project Lead and General Editor
Dr Clarisse GIROT was a Senior Fellow with ABLI until August 2021. She was previously Counsel to the President of the French data privacy regulator, Commission nationale de l’informatique et des libertés (CNIL). Prior to that, Dr Girot was head of CNIL’s department for European and International Affairs. Dr Girot transitioned to be a Honorary Senior Fellow with ABLI in August 2021 before taking on a new full-time role with another organisation in August 2022.