Convergence of data privacy laws and frameworks for cross-border transfers of personal data in Asia
Data protection and privacy laws have become a common feature of the legal landscape in Asia. However, significant differences exist between the data privacy laws enacted in different jurisdictions. Some are in the process of adopting such laws, while others have had bills pending for years, with uncertain outcome. Several others are in the process of significant law reform. The growing interdependence of regional privacy frameworks also impacts policies of privacy and compliance processes in Asia.
This complex environment is a source of business concern, in a context where multi-jurisdictional compliance is hard to achieve, enforcement is taking off, penalties for non-compliance are increasing and data protection and privacy regulators are setting up regional and international networks to support joint enforcement initiatives.
The combination of patchy laws and of a shifting regulatory environment also creates significant hurdles for regulatory cooperation, which public authorities may not address properly in the absence of an ad hoc, comprehensive structure of regional cooperation in data privacy.
Since 2017, ABLI has been helping to fill such gaps by offering an apolitical, non-profit and trusted platform of regional cooperation in this complex and sensitive area of the law. It relies on a unique network of data protection and privacy experts in a selection of Asian jurisdictions and enjoys the support of Data Protection Regulators and supra-national organisations of the region.
The Project was first raised on 21 January 2016 by the Honourable the Chief Justice Sundaresh Menon in his Key Note Address at the Doing Business Across Asia: Legal Convergence in an Asian Century conference held in Singapore. His Honour stated:
The second project could be aimed at the convergence of data privacy laws. This is an area that is ripe for policy and legal review and reform in this age of the Internet and smart businesses. The number of national data privacy laws in the world has grown exponentially since the first such legislation was passed in Sweden in 1973. Data privacy laws are now a common feature of the legal landscape in many countries but, in Asia, studies suggest that they are neither “universal nor … close to uniform”. This has been attributed to our different legal traditions and also to our diverse rates of development, policies and cultures. This could be earmarked as a subject that would benefit greatly from applied study. To that end, we have had preliminary discussions with similar institutes to collaborate in a joint project to draw up global principles on data privacy laws and we have thus far been met with considerable interest.
A unique network of experts in Asia and beyond
The first phase of the Project consisted in the set-up of a unique network of experts, including law practitioners, internal counsels, industry representatives, business associations, academics, on the one hand, and a wide range of public stakeholders including APAC privacy regulators, supra-national organisations, government representatives, on the other hand.
In July 2017, a team of 17 experts from 14 jurisdictions (Jurisdictional Reporters) were selected by ABLI to map the regulation of cross-border transfers of personal data in certain Asian countries (see "Jurisdictions" below). The experts comprise of those from academia and practice.
The community of regulators in the Asia Pacific region later agreed to provide input in this unique work.
Building an Asian narrative in data privacy and personal data flows
Over the years, ABLI has contributed to advancing discussions on legal convergence in Asia and increasing the Asian presence in the global privacy landscape.
Thanks to its unique collaborative model, ABLI has gained recognition as the provider of reliable comparative legal information that is verified by privacy regulators, law practitioners and industry representatives.
Such information is made freely available, together with recommendations to:
i) assist companies in their compliance efforts;
ii) support governments and regulators in the development of consistent policies in cross-border data flows; and
iii) offer a referential for Asian jurisdictions that are putting or reviewing data protection laws and/or cross-border controls in place.
Pathways for convergence
In its current phase, the Project focuses on the following priorities:
i) in-depth study of the differences and commonalities between Asian data protection systems and, where feasible, the drafting of recommendations and/or policy options to achieve convergence in this area of law in Asia;
ii) provision, upon request, of information and/or expert advice to public stakeholders and organisations that seek to promote the compatibility of national data protection frameworks in the region and beyond; and
iii) participation in projects or events organised by third parties which have the capacity to enhance convergence and improve legal certainty in the area of data protection, privacy and cross-border data transfer regulations in Asia.
The issues covered in this new phase have been selected with input from the Jurisdictional Reporters and public and private stakeholders across the region, and based on recommendations of relevant international organisations.
Until mid-2020, the Project has mainly focused on the convergence of laws and regulations on personal data flows in Asia.
In its next phase, the Project will be extended to other topics in the area of data protection and privacy laws in Asia Pacific.
ABLI's Data Privacy Forum: "Towards a shared legal ecosystem for international data transfers in Asia" (February 2018)
On 7 February 2018, ABLI hosted at the Supreme Court of Singapore a forum titled Towards a shared legal ecosystem for international data transfers in Asia (Forum) for the purpose of discussing how to achieve a common Asian framework to share and transfer information across borders.
The Forum was attended by 90 individuals from 19 jurisdictions, comprising representatives from government, data protection regulators, industry, non-governmental organisations (NGO) and the legal community. Such a meeting was a first for Asia.
Further details on the Forum are available here. The Straits Times' report on the Data Privacy Forum is available in its issue of 7 February 2018.
ABLI's Privacy Compendium: "Regulation of Cross-Border Transfers of Personal Data in Asia" (May 2018)
In May 2018, ABLI launched its second publication in ABLI's Legal Convergence Series titled Regulation of Cross-Border Transfers of Personal Data in Asia (Compendium).
The Compendium comprises 14 reports (Jurisdictional Reports) prepared by the Jurisdictional Reporters on the regulation of cross-border transfers of personal data in 14 Asian jurisdictions.
The first of its kind in Asia, the Compendium provides a holistic study of the regulation of data transfers in these different jurisdictions, which goes beyond a mere study of data transfer provisions in Asian data privacy laws to address the wider spectrum of issues that have an impact on the legal framework of cross-border data flows. It is designed for governments, data privacy regulators, law practitioners and industry, in Asia and beyond, to understand the scope, the operation and the implementation of regulations applicable to data transfers and data localisation requirements in the region.
On 2 December 2019, ABLI published of the Chinese translation of the Compendium. The translation was made possible with contribution of Peking University and a network of senior data protection officers in China.
An update to the Compendium is scheduled for release in early 2021.
ABLI's Data Privacy Workshop and side events during Privacy Awareness Week (May 2019)
On 21 May 2019, the Personal Data Protection Commission (Singapore)
and ABLI held a workshop
with 50 representatives from the legal profession, industry, regulators and government. Participants from 15 jurisdictions discussed, among others, general frameworks for data transfer regulations in Asian laws, accountability instruments for data transfers in Asia (APEC CBPRs, contracts, BCRs and certification, among others), data localisation in Asian legal systems and the ‘Right to Data Portability’ in Asia.
Several side events were held in Singapore during that week, including a closed-door workshop with regulators and governments from Cambodia, Hong Kong SAR, India, Japan, Lao PDR, Malaysia, New Zealand, the Philippines, Singapore and Thailand to discuss issues regarding cross-border transfer of personal data in Asia, and a closed-door workshop with the Jurisdictional Reporters and industry representatives.
Transferring Personal Data in Asia: A path to legal certainty and regional convergence (May 2020)
On 30 May 2020, ABLI published a Comparative Review and Table on the laws and regulations on cross-border data transfers in 14 APAC jurisdictions. This unique piece of work aims to provide the public stakeholders of the region that are currently drafting or reviewing their transfer frameworks with an overview and analysis of the transfer principles, legal grounds and mechanisms that operate in the laws of their neighbours on areas such as consent, contracts, BCR, certification, CBPR, privacy codes, adequacy, statutory exemptions and localisation.
This work further analyses the main areas of differences, but also the potential of convergence in many transfer provisions in Asian laws, with recommendations attached.
Like its previous publications, ABLI prepared the Comparative Review and Table with input from its network of country experts, law practitioners and other industry experts familiar with Asian data protection developments. APAC regulators also provided comments and confirmed the information related to their national legal frameworks.
A trusted partner
ABLI has gained recognition as a credible and trusted stakeholder by organisations as diverse as governments, business groups, supra-national institutions, data protection regulators, privacy professionals, academics, think tanks and NGOs, across Asia and beyond.
Since the Project's launch, Dr Clarisse Girot, Senior Research Fellow and Data Privacy Project Lead, has been invited to contribute to a multitude of events, publications and projects through which ABLI has promoted the importance of legal certainty and convergence in the area of data privacy in Asia.
- 5 January: Delivered keynote speech at the Greater Bay Area Data Interconnection and Secure Development Summit hosted by the China Free Trade Zone Infoport in Zhuhai, China
- 2 March: ABLI submitted comments to the Joint Parliamentary Committee on the Data Protection Bill of India
- 11 April: Invited to take part in the OCED online workshop on "Addressing the Data Governance and Privacy Challenges in the Fight against COVID-19", supported by the Global Privacy Assembly (GPA)
- 16 April: Dr Girot published an article on Singapore's contact tracing app TraceTogether in Dalloz Actualités, a leading French law review
- May: Dr Girot was invited to become a member of the Sedona Conference Working Group Series (WGS)
- 28 May: Publication of ABLI’s Comparative Table and Analytical Review on the laws and regulations on cross-border data transfers in 14 Asia-Pacific jurisdictions
- 22 June: Article on ABLI's Comparative Review "Transferring Personal Data in Asia" published in the Summer issue of Privacy Laws & Business International Report
- 30 June: Virtual program for the IAPP Summit Sessions on "Privacy awareness redux: How to promote privacy from governments to employees"
- 16 July: "Data Protection Trajectories in ASEAN" with JJ Disini and Philippines Privacy Commissioner Raymund Liboro, Digital Transformation Thursdays hosted by Disini Law Office
- 3 August: Announcement of the selection of the Project to be showcased at the 3rd edition of the Paris Peace Forum
- 27 August: Dr Girot published Cross-border data protection needs less formal, bottom-up approach on the Business Times
- 22 September: Panel discussion on "Doing Digital Business Beyond the Beltway and Brussels’ at the American Bar Association Virtual Annual Conference
- 29 September: ABLI organised and chaired the session "Converging Data Protection Approaches" at TechLaw.Fest 2020
- 21 October: Panellist on session on Asian privacy developments hosted by InfoGovernance ANZ, community of information governance professionals in Australia and New Zealand
- 12 November: Data Privacy Project showcased at the 3rd edition of the Paris Peace Forum
- 13-15 November: Global Privacy Assembly (GPA) 2020
- 17 November: IAPP Web Conference - Changing Needs, Changing Laws: The Origin and Impact of China’s draft Personal Information Protection Law
- December: Virtual Workshops on Data Flows in Philippines and Thailand organized by the World Economic Forum in the context of the “Digital ASEAN” program
- 9 December: Workshop on "Best Practices in Personal Data Protection in the Digital Environment", co-organised by the United Nations Development Programme, EU Delegation in Hanoi and the Ministry of Public Security of Vietnam
- 17 December: Dr Girot contributed to APEC Privacy Roundtable organised by Microsoft, the National Center for APEC, and BSA l the Software Alliance to explore options for the APEC 2021 Agenda to strengthen privacy regulatory coherence
- 28 March (Jakarta, Indonesia): Panel discussion on personal data protection organised by K&K Advocates and the Ministry of Communication and Informatics (Kominfo)
- 29 March: Presentation of the Project at a meeting with the ASEAN Secretariat
- 24 May (New Delhi, India): Meetings with Justice BN Srikrishna, chair of the Working Committee on the Draft Data Protection Bill of India and the Ministry of Electronics and Information Technology (MeitY)
- 25 May (New Delhi, India): Session chair at the "Privacy in the Digital Age" conference organised by the European Commission and the Centre for Internet and Society (CIS)
- 5 June 2018 (Beijing, China): Speaker at the 2018 Annual Forum of the Research Alliance for Data Governance and Cyber Security, Peking University
- 25 July 2018 (Singapore): Chaired session "Pathways to Convergence in Asian Data Protection Law" at IAPP Asia Privacy Forum 2018
- 26 July 2018 (Singapore): Chaired the first session "Digital Economy and its Impact on the Law' at the ABLI-UNCITRAL Emergence Conference
- September 2018: Dr Girot co-authored the World Bank Group’s 2018 Digital Report on the Digital Economy in ASEAN (released in March 2019) aimed at supporting ASEAN governments’ policies on disruptive technology and the digital economy
- 26 September: "Regulation of Cross-Border Transfers of Personal Data in Asia" is referred to by the Supreme Court of India in its landmark judgment on the constitutionality of India's Aadhaar system
- 28 September (Hangzhou, China): Panel discussion at the 3rd China Conference on Data Security and Privacy Protection organised by Alibaba Data Security Institute and Guiyang Big Data Security Engineering Research Centre (see report by co-panellist Samm Sacks)
- 3 October (Singapore): Panel discussion at workshop "A Future Ready ASEAN: Creating an Inclusive Digital Ecosystem" organised by Singapore Institute of International Affairs, Google and the Ministry of Foreign Affairs
- 26 October (Brussels, Belgium): Panel discussion at a side event on cross-border data flows organised by the Personal Information Protection Commission of Japan on the sidelines of the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC)
- 8 December (Singapore): Panel discussion at "Human Rights and Digital Security", conference on the 70th Anniversary of the UDHR, European Union Delegation to Singapore
The Project considers the regulations in the jurisdictions represented by ABLI's Board of Governors, other Asian and Oceanic jurisdictions which have cross-border controls in place and others Asian jurisdictions which are considering putting such controls in place. That is:
Australia, China, Hong Kong SAR, India, Indonesia, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam.
Consistent with ABLI's Asia-centric focus, 88% of contributors are from ASEAN, East Asia and South Asia—with an additional 12% from Australia and New Zealand. Congruent with ABLI's aim of providing practical guidance, 71% of contributors are practitioners, with an additional 18% from academia and another 12% from a not-for-profit research and policy organisation.
Project Lead and Editor
||Dr Clarisse GIROT is a Senior Research Fellow at the Asian Business Law Institute. Dr Girot was previously Counsel to the President of the French data privacy regulator, Commission nationale de l'informatique et des libertés (CNIL), and prior to that Dr Girot was head of CNIL’s department for European and International Affairs.
- Mr CAI Kemeng, Dentons Beijing Office (China)
- Mr Ken CHIA, Baker & McKenzie - Wong & Leow (Singapore)
- Mr David DUNCAN, Tilleke & Gibbins (Thailand)
- Mr JJ DISINI, Disini & Disini Law Office (Philippines)
- Katrine EVANS, Hayman Lawyers (New Zealand)
- Ms Elonnai HICKOK, Centre for Internet and Society (India)
- Associate Professor Kaori ISHII, University of Tsukuba (Japan)
- Mr Danny KOBRATA, K&K Advocates (Indonesia)
- Mr Justi KUSUMAH, K&K Advocates (Indonesia)
- Mr Peter LEONARD, Gilbert + Tobin (Australia)
- Professor Abu Bakar MUNIR, University of Malaya (Malaysia)
- Mr Kwang Bae PARK, Lee & Ko (Korea)
- Mr Mark PARSONS, Hogan Lovells (Hong Kong SAR)
- Ms Waewpen PIEMWICHAI, Tilleke & Gibbins (Vietnam)
- Ms Graça SARAIVA, Venetian Macau Limited (Macau SAR)
- Mr Amber SINHA, Centre for Internet and Society (India)
- Professor Fumio SHIMPO, Keio University (Japan)
You might also like...
See ABLI's other projects.