Convergence of data privacy laws and frameworks for cross-border transfers of personal data in Asia 

Background

Data protection and privacy laws have become a common feature of the legal landscape in Asia. However, significant differences exist between the data privacy laws enacted in different jurisdictions. Some are in the process of adopting such laws, while others have had bills pending for years, with uncertain outcome. Several others are in the process of significant law reform. The growing interdependence of regional privacy frameworks also impacts policies of privacy and compliance processes in Asia. 

This complex environment is a source of business concern, in a context where multi-jurisdictional compliance is hard to achieve, enforcement is taking off, penalties for non-compliance are increasing and data protection and privacy regulators are setting up regional and international networks to support joint enforcement initiatives.

The combination of patchy laws and of a shifting regulatory environment also creates significant hurdles for regulatory cooperation, which public authorities may not address properly in the absence of an ad hoc, comprehensive structure of regional cooperation in data privacy.

Since 2017, ABLI has been helping to fill such gaps by offering an apolitical, non-profit and trusted platform of regional cooperation in this complex and sensitive area of the law. It relies on a unique network of data protection and privacy experts in a selection of Asian jurisdictions and enjoys the support of Data Protection Regulators and supra-national organisations of the region.

Conception

The Project was first raised on 21 January 2016 by the Honourable the Chief Justice Sundaresh Menon in his Key Note Address at the Doing Business Across Asia: Legal Convergence in an Asian Century conference held in Singapore. His Honour stated:

The second project could be aimed at the convergence of data privacy laws. This is an area that is ripe for policy and legal review and reform in this age of the Internet and smart businesses. The number of national data privacy laws in the world has grown exponentially since the first such legislation was passed in Sweden in 1973.1 Data privacy laws are now a common feature of the legal landscape in many countries but, in Asia, studies suggest that they are neither “universal nor … close to uniform”.2 This has been attributed to our different legal traditions and also to our diverse rates of development, policies and cultures. This could be earmarked as a subject that would benefit greatly from applied study. To that end, we have had preliminary discussions with similar institutes to collaborate in a joint project to draw up global principles on data privacy laws and we have thus far been met with considerable interest.

Key features

A unique network of experts in Asia and beyond

The first phase of the Project consisted in the set-up of a unique network of experts, including law practitioners, internal counsels, industry representatives, business associations, academics, on the one hand, and a wide range of public stakeholders including APAC privacy regulators, supra-national organisations, government representatives, on the other hand.

In July 2017, a team of 17 experts from 14 jurisdictions (Jurisdictional Reporters) were selected by ABLI to map the regulation of cross-border transfers of personal data in certain Asian countries (see "Jurisdictions" below). The experts comprise of those from academia and practice.

The community of regulators in the Asia Pacific region later agreed to provide input in this unique work.

Building an Asian narrative in data privacy and personal data flows

Over the years, ABLI has contributed to advancing discussions on legal convergence in Asia and increasing the Asian presence in the global privacy landscape.

Thanks to its unique collaborative model, ABLI has gained recognition as the provider of reliable comparative legal information that is verified by privacy regulators, law practitioners and industry representatives. 

Such information is made freely available, together with recommendations to:

i)  assist companies in their compliance efforts;

ii)  support governments and regulators in the development of consistent policies in cross-border data flows; and

iii)  offer a referential for Asian jurisdictions that are putting or reviewing data protection laws and/or cross-border controls in place. 

Pathways for convergence

In its current phase, the Project focuses on the following priorities:

i)  in-depth study of the differences and commonalities between Asian data protection systems and, where feasible, the drafting of recommendations and/or policy options to achieve convergence in this area of law in Asia;

ii)  provision, upon request, of information and/or expert advice to public stakeholders and organisations that seek to promote the compatibility of national data protection frameworks in the region and beyond; and

iii) participation in projects or events organised by third parties which have the capacity to enhance convergence and improve legal certainty in the area of data protection, privacy and cross-border data transfer regulations in Asia.

The issues covered in this new phase have been selected with input from the Jurisdictional Reporters and public and private stakeholders across the region, and based on recommendations of relevant international organisations.

Workstreams

Until mid-2020, the Project has mainly focused on the convergence of laws and regulations on personal data flows in Asia.

In its next phase, the Project will be extended to other topics in the area of data protection and privacy laws in Asia Pacific.

Key milestones

ABLI's Data Privacy Forum: "Towards a shared legal ecosystem for international data transfers in Asia" (February 2018)

On 7 February 2018, ABLI hosted at the Supreme Court of Singapore a forum titled Towards a shared legal ecosystem for international data transfers in Asia (Forum) for the purpose of discussing how to achieve a common Asian framework to share and transfer information across borders.

The Forum was attended by 90 individuals from 19 jurisdictions, comprising representatives from government, data protection regulators, industry, non-governmental organisations (NGO) and the legal community. Such a meeting was a first for Asia.

Further details on the Forum are available here. The Straits Times' report on the Data Privacy Forum is available in its issue of 7 February 2018.

ABLI's Privacy Compendium: "Regulation of Cross-Border Transfers of Personal Data in Asia" (May 2018)

In May 2018, ABLI launched its second publication in ABLI's Legal Convergence Series titled Regulation of Cross-Border Transfers of Personal Data in Asia (Compendium).

Regulation of Cross-Border Transfers of Personal Data in Asia
   Regulation of Cross-Border Transfers of Personal Data in Asia (softcover)
May 2018
by Dr Clarisse Girot (editor)

Download the free pdf

 

点击免费下载中文版

 

The Compendium comprises 14 reports (Jurisdictional Reports) prepared by the Jurisdictional Reporters on the regulation of cross-border transfers of personal data in 14 Asian jurisdictions.

The first of its kind in Asia, the Compendium provides a holistic study of the regulation of data transfers in these different jurisdictions, which goes beyond a mere study of data transfer provisions in Asian data privacy laws to address the wider spectrum of issues that have an impact on the legal framework of cross-border data flows. It is designed for governments, data privacy regulators, law practitioners and industry, in Asia and beyond, to understand the scope, the operation and the implementation of regulations applicable to data transfers and data localisation requirements in the region.

On 2 December 2019, ABLI published of the Chinese translation of the Compendium. The translation was made possible with contribution of Peking University and a network of senior data protection officers in China.

An update to the Compendium is scheduled for release in early 2021.

ABLI's Data Privacy Workshop and side events during Privacy Awareness Week (May 2019)

On 21 May 2019, the Personal Data Protection Commission (Singapore) and ABLI held a workshop with 50 representatives from the legal profession, industry, regulators and government. Participants from 15 jurisdictions discussed, among others, general frameworks for data transfer regulations in Asian laws, accountability instruments for data transfers in Asia (APEC CBPRs, contracts, BCRs and certification, among others), data localisation in Asian legal systems and the ‘Right to Data Portability’ in Asia.

Several side events were held in Singapore during that week, including a closed-door workshop with regulators and governments from Cambodia, Hong Kong SAR, India, Japan, Lao PDR, Malaysia, New Zealand, the Philippines, Singapore and Thailand to discuss issues regarding cross-border transfer of personal data in Asia, and a closed-door workshop with the Jurisdictional Reporters and industry representatives.

Transferring Personal Data in Asia: A path to legal certainty and regional convergence (May 2020)

On 30 May 2020, ABLI published a Comparative Review and Table on the laws and regulations on cross-border data transfers in 14 APAC jurisdictions. This unique piece of work aims to provide the public stakeholders of the region that are currently drafting or reviewing their transfer frameworks with an overview and analysis of the transfer principles, legal grounds and mechanisms that operate in the laws of their neighbours on areas such as consent, contracts, BCR, certification, CBPR, privacy codes, adequacy, statutory exemptions and localisation.

This work further analyses the main areas of differences, but also the potential of convergence in many transfer provisions in Asian laws, with recommendations attached.

Like its previous publications, ABLI prepared the Comparative Review and Table with input from its network of country experts, law practitioners and other industry experts familiar with Asian data protection developments. APAC regulators also provided comments and confirmed the information related to their national legal frameworks.

A trusted partner

ABLI has gained recognition as a credible and trusted stakeholder by organisations as diverse as governments, business groups, supra-national institutions, data protection regulators, privacy professionals, academics, think tanks and NGOs, across Asia and beyond.

Since the Project's launch, Dr Clarisse Girot, Senior Research Fellow and Data Privacy Project Lead, has been invited to contribute to a multitude of events, publications and projects through which ABLI has promoted the importance of legal certainty and convergence in the area of data privacy in Asia.

2020

  • 5 January: Delivered keynote speech at the Greater Bay Area Data Interconnection and Secure Development Summit hosted by the China Free Trade Zone Infoport in Zhuhai, China
  • 11 April: Invited by OECD to take part in the online workshop on "Addressing the Data Governance and Privacy Challenges in the Fight against COVID-19", supported by the Global Privacy Assembly (GPA)
  • 16 April: Dr Girot published an article on Singapore's contact tracing app TraceTogether in Dalloz Actualités, a leading French law review 
  • May: Dr Girot was invited to join the Sedona Conference Working Group Series (WGS)
  • 22 June: Dr Clarisse Girot published an article on ABLI's Comparative Review "Transferring Personal Data in Asia" in the Summer issue of Privacy Laws & Business International Report
  • 16 July: Recording of the 5th edition of the Digital Transformation Thursdays on "Data Protection Trajectories in ASEAN" which was hosted by Disini Law Office with JJ Disini and National Privacy Commissioner Raymund Liboro of the Philippines who is also Chair of ASEAN Data Privacy Forum
  • 30 June: Recording of a virtual program for the IAPP Summit Sessions with ShanShan Pa, head of compliance and privacy (US & EMEA) of Alibaba Cloud, and Galaad Delval, Data Protection Officer and researcher at Chen & Co Law Firm in Shanghai on "Privacy awareness redux: How to promote privacy from governments to employees"
  • 3 August: Announcement of the selection of the Project to be showcased at the 3rd edition of the Paris Peace Forum
  • 22 September: Panel discussion on "Doing Digital Business Beyond the Beltway and Brussels’ at the American Bar Association Virtual Annual Conference (tba)
  • 29 September: ABLI organises and chairs the session "Converging Data Protection Approaches" at TechLaw.Fest 2020
  • 21 October (tbc): Panellist on session on Asian privacy developments hosted by InfoGovernance ANZ
  • ABLI’s Data Privacy Project showcased at the 3rd edition of the Paris Peace Forum (tba)

2019 

  • 30 January (Brussels, Belgium): "Converging Norms in Emerging Markets: The Trajectory of Data Protection Reform in Asia", Computers, Privacy and Data Protection Conference (CPDP2019)
  • 7 March 2019 (Hanoi, Vietnam): Workshop "Policy Issues to Support the Development of Vietnam's Digital Economy’' organised by Vietnam's Ministry of Industry and Trade and the World Bank
  • March 2019 (Hangzhou, China): eynote speech and session chair at the Luohan Academy’s Privacy and Data Governance conference with Professor Jean Tirole, Ms Wei Lu, Mr James Dempsey, and Hong Kong Privacy Commissioner Stephen Wong
  • 29 March (Singapore): Presentation to French corporate heads and their in-house and external counsel at the French Embassy to Singapore
  • 29-30 May (Tokyo, Japan): Panel discussion at the 51st Asia Pacific Privacy Authorities (APPA) Forum
  • 3 June (Tokyo, Japan): Keynote address delivered at the G20 side event - International Seminar on Personal Data organised by the Personal Information Protection Commission of Japan
  • 18 June (Hong Kong, China): Panel discussions at the 11th International Programme on Cross-border Data Transfers and Data Protection Laws at the Sedona Conference
  • 27 June (Singapore): SIIA-Clingendael Dialogue "Enhancing EU-Singapore Connectivity" organised by Singapore Institute of International Affairs, Clingendael Institute and EU Delegation to Singapore
  • 15 July (Singapore): Panel discussion "The rise in data localisation: How can we navigate safely?" organised by IAPP Asia 2019
  • 16 July (Singapore): Panel discussion "EU-Japan adequacy decisions: what next?" organised by IAPP Asia 2019
  • 9 September (Singapore): Panel discussion "Future of Data" at India-Singapore Business and Innovation Summit - the Next Phase
  • 18 September (Singapore): Introduction speech at the Annual International Association of Transportation Airlines (IATA) Legal Forum
  • 7 October (Singapore): Panel discussion at Hinrich Foundation-NUS Executive Programme - Asia’s Digital Landscape and Data Privacy, Security and Cross Border Trade
  • 15 October (Singapore): Guest panellist at workshop "Data Privacy in ASEAN" organised by ICE71 x French Tech Cyber
  • 21-24 October (Tirana, Albania): Attendance at the closed and public sessions and invitation for comments during the opening session at the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC), "Convergence and connectivity raising global data protection standards in the digital age"
  • 6 November (Singapore): Panel discussion and delivery of concluding remarks at Conference "Reaping the Data Privacy Dividend: Protecting Personal Data as a Competitive Advantage" organised by the Personal Data Protection Commission and European Union Delegation (Singapore) 
  • 18 November (Paris, France): Presentation in OECD expert consultation on privacy enforcement and emerging technologies at the 1st Session of Data Governance and Privacy in the Digital Economy, co-organised by EPIC and the United Kingdom Information Commissioner's Office (ICO) in the context of the review of implementation of the OECD Privacy Guidelines
  • 3-4 December (Cebu, Philippines): session chair at the 52nd Asia Pacific Privacy Authorities (APPA) Forum

2018 

  • 28 March (Jakarta, Indonesia): Panel discussion on personal data protection organised by K&K Advocates and the Ministry of Communication and Informatics (Kominfo)
  • 29 March: Presentation of the Project at a meeting with the ASEAN Secretariat
  • 24 May (New Delhi, India): Meetings with Justice BN Srikrishna, chair of the Working Committee on the Draft Data Protection Bill of India and the Ministry of Electronics and Information Technology (MeitY)
  • 25 May (New Delhi, India): Session chair at the "Privacy in the Digital Age" conference organised by the European Commission and the Centre for Internet and Society (CIS)
  • 5 June 2018 (Beijing, China): Speaker at the 2018 Annual Forum of the Research Alliance for Data Governance and Cyber Security, Peking University 
  • 25 July 2018 (Singapore): Chaired session "Pathways to Convergence in Asian Data Protection Law" at IAPP Asia Privacy Forum 2018 
  • 26 July 2018 (Singapore): Chaired the first session "Digital Economy and its Impact on the Law' at the ABLI-UNCITRAL Emergence Conference
  • September 2018: Dr Girot co-authored the World Bank Group’s 2018 Digital Report on the Digital Economy in ASEAN (released in March 2019) aimed at supporting ASEAN governments’ policies on disruptive technology and the digital economy
  • 26 September: "Regulation of Cross-Border Transfers of Personal Data in Asia" is referred to by the Supreme Court of India in its landmark judgment on the constitutionality of India's Aadhaar system
  • 28 September (Hangzhou, China): Panel discussion at the 3rd China Conference on Data Security and Privacy Protection organised by Alibaba Data Security Institute and Guiyang Big Data Security Engineering Research Centre (see report by co-panellist Samm Sacks)
  • 3 October (Singapore): Panel discussion at workshop "A Future Ready ASEAN: Creating an Inclusive Digital Ecosystem" organised by Singapore Institute of International Affairs, Google and the Ministry of Foreign Affairs
  • 26 October (Brussels, Belgium): Panel discussion at a side event on cross-border data flows organised by the Personal Information Protection Commission of Japan on the sidelines of the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC)
  • 8 December (Singapore): Panel discussion at "Human Rights and Digital Security", conference on the 70th Anniversary of the UDHR, European Union Delegation to Singapore

Jurisdictions

The Project considers the regulations in the jurisdictions represented by ABLI's Board of Governors, other Asian and Oceanic jurisdictions which have cross-border controls in place and others Asian jurisdictions which are considering putting such controls in place. That is:

 Australia, China, Hong Kong SAR, India, Indonesia, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam.

Contributors

Consistent with ABLI's Asia-centric focus, 88% of contributors are from ASEAN, East Asia and South Asia—with an additional 12% from Australia and New Zealand. Congruent with ABLI's aim of providing practical guidance, 71% of contributors are practitioners, with an additional 18% from academia and another 12% from a not-for-profit research and policy organisation. 

Project Lead and Editor

Dr Clarisse Girot
   Dr Clarisse GIROT is a Senior Research Fellow at the Asian Business Law Institute. Dr Girot was previously Counsel to the President of the French data privacy regulator, Commission nationale de l'informatique et des libertés (CNIL), and prior to that Dr Girot was head of CNIL’s department for European and International Affairs.

 

Jurisdictional Reporters

  1. Mr CAI Kemeng, Dentons Beijing Office (China)
  2. Mr Ken CHIA, Baker & McKenzie - Wong & Leow (Singapore)
  3. Mr David DUNCAN, Tilleke & Gibbins (Thailand)
  4. Mr JJ DISINI, Disini & Disini Law Office (Philippines)
  5. Katrine EVANS, Hayman Lawyers (New Zealand)
  6. Ms Elonnai HICKOK, Centre for Internet and Society (India)
  7. Associate Professor Kaori ISHII, University of Tsukuba (Japan)
  8. Mr Danny KOBRATA, K&K Advocates (Indonesia)
  9. Mr Justi KUSUMAH, K&K Advocates (Indonesia)
  10. Mr Peter LEONARD, Gilbert + Tobin (Australia)
  11. Professor Abu Bakar MUNIR, University of Malaya (Malaysia)
  12. Mr Kwang Bae PARK, Lee & Ko (Korea)
  13. Mr Mark PARSONS, Hogan Lovells (Hong Kong SAR)
  14. Ms Waewpen PIEMWICHAI, Tilleke & Gibbins (Vietnam)
  15. Ms Graça SARAIVA, Venetian Macau Limited (Macau SAR)
  16. Mr Amber SINHA, Centre for Internet and Society (India)
  17. Professor Fumio SHIMPO, Keio University (Japan)

 

You might also like...

See ABLI's other projects.


  1. Graham Greenleaf, Asian Data Privacy Laws: Trade and Human Rights Perspectives (Oxford University Press, 2015) (Asian Data Privacy Laws) at pp 6–7

  2. Asian Data Privacy Laws at p 12.




Copyright © 2020 Asian Business Law Institute.

Asian Business Law Institute

1 Supreme Court Lane, Level 6
Singapore 178879

Main line: (65) 6332 4388

Email: info@abli.asia