Convergence of data privacy laws and frameworks for cross-border transfers of personal data in Asia
Data protection and privacy laws have become a common feature of the legal landscape in Asia. However, significant differences exist between the data privacy laws enacted in different jurisdictions. Some are in the process of adopting such laws, while others have had bills pending for years, with uncertain outcome. Several others are in the process of significant law reform. The growing interdependence of regional privacy frameworks also impacts policies of privacy and compliance processes in Asia.
This complex environment is a source of business concern, in a context where multi-jurisdictional compliance is hard to achieve, enforcement is taking off, penalties for non-compliance are increasing and data protection and privacy regulators are setting up regional and international networks to support joint enforcement initiatives.
The combination of patchy laws and of a shifting regulatory environment also creates significant hurdles for regulatory cooperation, which public authorities may not address properly in the absence of an ad hoc, comprehensive structure of regional cooperation in data privacy.
Since 2017, ABLI has been helping to fill such gaps by offering an apolitical, non-profit and trusted platform of regional cooperation in this complex and sensitive area of the law. It relies on a unique network of data protection and privacy experts in a selection of Asian jurisdictions and enjoys the support of Data Protection Regulators and supra-national organisations of the region.
The Project was first raised on 21 January 2016 by the Honourable the Chief Justice Sundaresh Menon in his Key Note Address at the Doing Business Across Asia: Legal Convergence in an Asian Century conference held in Singapore. His Honour stated:
The second project could be aimed at the convergence of data privacy laws. This is an area that is ripe for policy and legal review and reform in this age of the Internet and smart businesses. The number of national data privacy laws in the world has grown exponentially since the first such legislation was passed in Sweden in 1973. Data privacy laws are now a common feature of the legal landscape in many countries but, in Asia, studies suggest that they are neither “universal nor … close to uniform”. This has been attributed to our different legal traditions and also to our diverse rates of development, policies and cultures. This could be earmarked as a subject that would benefit greatly from applied study. To that end, we have had preliminary discussions with similar institutes to collaborate in a joint project to draw up global principles on data privacy laws and we have thus far been met with considerable interest.
A unique network of experts in Asia and beyond
The first phase of the Project consisted in the set-up of a unique network of experts, including law practitioners, internal counsels, industry representatives, business associations, academics, on the one hand, and a wide range of public stakeholders including APAC privacy regulators, supra-national organisations, government representatives, on the other hand.
In July 2017, a team of 17 experts from 14 jurisdictions (Jurisdictional Reporters) were selected by ABLI to map the regulation of cross-border transfers of personal data in certain Asian countries (see "Jurisdictions" below). The experts comprise of those from academia and practice.
The community of regulators in the Asia Pacific region later agreed to provide input in this unique work.
Building an Asian narrative in data privacy and personal data flows
Over the years, ABLI has contributed to advancing discussions on legal convergence in Asia and increasing the Asian presence in the global privacy landscape.
Thanks to its unique collaborative model, ABLI has gained recognition as the provider of reliable comparative legal information that is verified by privacy regulators, law practitioners and industry representatives.
Such information is made freely available, together with recommendations to:
i) assist companies in their compliance efforts;
ii) support governments and regulators in the development of consistent policies in cross-border data flows; and
iii) offer a referential for Asian jurisdictions that are putting or reviewing data protection laws and/or cross-border controls in place.
Pathways for convergence
In its current phase, the Project focuses on the following priorities:
i) in-depth study of the differences and commonalities between Asian data protection systems and, where feasible, the drafting of recommendations and/or policy options to achieve convergence in this area of law in Asia;
ii) provision, upon request, of information and/or expert advice to public stakeholders and organisations that seek to promote the compatibility of national data protection frameworks in the region and beyond; and
iii) participation in projects or events organised by third parties which have the capacity to enhance convergence and improve legal certainty in the area of data protection, privacy and cross-border data transfer regulations in Asia.
The issues covered in this new phase have been selected with input from the Jurisdictional Reporters and public and private stakeholders across the region, and based on recommendations of relevant international organisations.
Until mid-2020, the Project has mainly focused on the convergence of laws and regulations on personal data flows in Asia.
In its next phase, the Project will be extended to other topics in the area of data protection and privacy laws in Asia Pacific.
ABLI's Data Privacy Forum: "Towards a shared legal ecosystem for international data transfers in Asia" (February 2018)
On 7 February 2018, ABLI hosted at the Supreme Court of Singapore a forum titled Towards a shared legal ecosystem for international data transfers in Asia (Forum) for the purpose of discussing how to achieve a common Asian framework to share and transfer information across borders.
The Forum was attended by 90 individuals from 19 jurisdictions, comprising representatives from government, data protection regulators, industry, non-governmental organisations (NGO) and the legal community. Such a meeting was a first for Asia.
Further details on the Forum are available here. The Straits Times' report on the Data Privacy Forum is available in its issue of 7 February 2018.
ABLI's Privacy Compendium: "Regulation of Cross-Border Transfers of Personal Data in Asia" (May 2018)
In May 2018, ABLI launched its second publication in ABLI's Legal Convergence Series titled Regulation of Cross-Border Transfers of Personal Data in Asia (Compendium).
The Compendium comprises 14 reports (Jurisdictional Reports) prepared by the Jurisdictional Reporters on the regulation of cross-border transfers of personal data in 14 Asian jurisdictions.
The first of its kind in Asia, the Compendium provides a holistic study of the regulation of data transfers in these different jurisdictions, which goes beyond a mere study of data transfer provisions in Asian data privacy laws to address the wider spectrum of issues that have an impact on the legal framework of cross-border data flows. It is designed for governments, data privacy regulators, law practitioners and industry, in Asia and beyond, to understand the scope, the operation and the implementation of regulations applicable to data transfers and data localisation requirements in the region.
On 2 December 2019, ABLI published of the Chinese translation of the Compendium. The translation was made possible with contribution of Peking University and a network of senior data protection officers in China.
ABLI's Data Privacy Workshop and side events during Privacy Awareness Week (May 2019)
On 21 May 2019, the Personal Data Protection Commission (Singapore)
and ABLI held a workshop
with 50 representatives from the legal profession, industry, regulators and government. Participants from 15 jurisdictions discussed, among others, general frameworks for data transfer regulations in Asian laws, accountability instruments for data transfers in Asia (APEC CBPRs, contracts, BCRs and certification, among others), data localisation in Asian legal systems and the ‘Right to Data Portability’ in Asia.
Several side events were held in Singapore during that week, including a closed-door workshop with regulators and governments from Cambodia, Hong Kong SAR, India, Japan, Lao PDR, Malaysia, New Zealand, the Philippines, Singapore and Thailand to discuss issues regarding cross-border transfer of personal data in Asia, and a closed-door workshop with the Jurisdictional Reporters and industry representatives.
Transferring Personal Data in Asia: A path to legal certainty and regional convergence (May 2020)
On 30 May 2020, ABLI published a Comparative Review and Table on the laws and regulations on cross-border data transfers in 14 APAC jurisdictions. This unique piece of work aims to provide the public stakeholders of the region that are currently drafting or reviewing their transfer frameworks with an overview and analysis of the transfer principles, legal grounds and mechanisms that operate in the laws of their neighbours on areas such as consent, contracts, BCR, certification, CBPR, privacy codes, adequacy, statutory exemptions and localisation. An update to the Comparative Review and Table was released in November 2020.
This work further analyses the main areas of differences, but also the potential of convergence in many transfer provisions in Asian laws, with recommendations attached.
Like its previous publications, ABLI prepared the Comparative Review and Table with input from its network of country experts, law practitioners and other industry experts familiar with Asian data protection developments. APAC regulators also provided comments and confirmed the information related to their national legal frameworks.
From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific (June 2022)
Following the announcement in August 2021 of the collaboration between ABLI and the Future of Privacy Forum, the two organizations have been working on a joint project titled From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific.
In the Asia-Pacific (like elsewhere), the limitations of “notice and consent” are increasingly under scrutiny. While notice and consent requirements have long been used to justify the collection and processing of personal data, this justification has increasingly been called into question. For example, the over-reliance on consent has led to the development of a “tick-the-box” approach to data protection for organizations and “consent fatigue” for individuals, which contradict the original purpose of data protection laws.
The ABLI-FPF project aims to guide the development of data protection frameworks in the Asia-Pacific away from consent-centric, “tick-the-box” compliance requirements and towards responsible data practices and accountability for privacy when processing personal data. At the same time, the project recognizes that effective policies need to balance the interests of individuals in protecting their personal data and organizations in using personal data, while also promoting the interests of broader society, such as developing a vibrant digital economy and preventing crimes and fraud.
The project covers the same set of 14 jurisdictions considered in ABLI’s other work in data protection and privacy.
In June 2022, ABLI and FPF began releasing Jurisdiction Reports for those 14 jurisdictions largely on a weekly basis. Those reports are available for free download (in the order of release time): China, South Korea, Hong Kong SAR, New Zealand, Australia, the Philippines, Indonesia, Malaysia and Vietnam.
The Jurisdiction Reports provide a detailed overview of relevant laws and regulations in the jurisdictions on:
- notice and consent requirements for processing personal data;
- the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
Where relevant, the Jurisdiction Reports also examine the positions under the current drafts of the upcoming data protection laws of relevant jurisdictions, such as India, Indonesia and Vietnam. Although those drafts may still change and the timeline for formal adoption of the new laws remains uncertain, considering potential new positions offers a glimpse to the possible directions of where the requirements on consent and alternatives to consent may develop in the relevant jurisdictions in the not-too-distant future.
The joint project will culminate in the release of a comparative review paper built upon 14 jurisdiction reports, which will provide detailed recommendations to promote legal convergence around requirements for processing personal data in Asia Pacific.
ABLI and FPF hope that these publications will prove useful to lawmakers, governments, and regulators in Asia (and beyond) who are currently drafting, reviewing, or implementing data protection laws in their respective jurisdictions.
A trusted partner
ABLI has gained recognition as a credible and trusted stakeholder by organisations as diverse as governments, business groups, supra-national institutions, data protection regulators, privacy professionals, academics, think tanks and NGOs, across Asia and beyond.
Since the Project's launch, Dr Clarisse Girot, Senior Research Fellow and Data Privacy Project Lead, has been invited to contribute to a multitude of events, publications and projects through which ABLI has promoted the importance of legal certainty and convergence in the area of data privacy in Asia.
- 26 May: ABLI hosted virtual panel Balancing Consent and Other Legal Bases in Personal Data Protection Laws: Pathways to Convergence in Europe and Asia during the Asia-Europe Law and Business Symposium co-organized by the Singapore Academy of Law and the Embassy of France in Singapore.
- June: ABLI and FPF start releasing of Jurisdiction Reports under the joint project of From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific.
- 11 January: ABLI’s Data Privacy and others Projects cited by The Honourable the Chief Justice of Singapore Sundaresh Menon in his Opening of the 2021 Legal Year speech as among the initiatives to advance rule of law in both the domestic and international space.
- 15 January: ABLI's Comparative Review “Transferring Personal Data in Asia: A Path to Legal Certainty and Regional Convergence” is a winner of the Future of Privacy Forum's 11th Privacy Papers for Policymakers Award.
- 20 January: Dr Girot speaks on recent data protection developments in ASEAN at the 4th ASEAN Forum hosted by Rödl & Partners Singapore.
- 20 January: Dr Girot shares views and recommendations for convergence issued from ABLI's work to WTO delegates, senior trade officials and specialists on issues including data flows and protection at an event organised by the Digital Trade Network and Canada Permanent Delegation at WTO, to advance WTO JSI negotiations on e-commerce.
- 22 January: the 1st ASEAN Digital Ministers’ Meeting approves the ASEAN Data Management Framework (DMF) and Model Contractual Clauses for Cross Border Data Flows (MCCs). Dr Girot is a member of the Ad-Hoc Committee formed by IMDA/PDPC Singapore to review the MCCs.
- 28 January: Dr Girot invited to contribute comments at the celebration of Data Privacy Day IAPP - International Association of Privacy Professionals Knowledgenet Philippines Chapter with National Privacy Commission's Chairman Raymund Liboro.
- 10 February: Presentation of Transferring Personal Data in Asia: A Path to Legal Certainty and Regional Convergence at the Future of Privacy Forums’ Privacy Papers for Policymakers Award
- 30 March: Dr Girot spoke on "The Value of Modern Data Protection Regime for Indonesia’s Industries" organised by EuroCham Indonesia
- 20 April: Dr Girot presented ABLI's work on data transfer regulations in Asia to senior government officials from across the ASEAN region in a workshop on digital data governance organised by Crowell & Moring International, Google, Singapore Cooperation Programme and IMDA
- April: The April 2021 international report of the Privacy Law & Business published an article contributed by Dr Girot and Grace Chen titled "Singapore DP law amendments: Practical implications".
- 27 May: Dr Girot spoke at a breakout session titled Schrems II in a Nutshell with Mr Wojciech Wiewiorowski, European Data Protection Supervisor, at the 4th National Data Privacy Conference organised by the National Privacy Commission of the Philippines
- June: Upon invitation by the host, Personal Information Protection Commission of Korea, Dr Girot presented ABLI's current initiative at a closed session on the theme of global interoperability in data protection at the 55th Asia Pacific Privacy Authorities (APPA) Forum held online in Seoul, South Korea
- 25 August: ABLI announced collaboration with the Future of Privacy Forum to drive understanding of data privacy protection and practices
- 5 January: Dr Girot delivers keynote speech at the Greater Bay Area Data Interconnection and Secure Development Summit hosted by the China Free Trade Zone Infoport in Zhuhai, China
- 2 March: ABLI submits comments to the Joint Parliamentary Committee on the Data Protection Bill of India
- 11 April: Invited to take part in the OCED online workshop on "Addressing the Data Governance and Privacy Challenges in the Fight against COVID-19", supported by the Global Privacy Assembly (GPA)
- 16 April: article authored by Dr Girot on Singapore's contact tracing app TraceTogether published in Dalloz Actualités, the leading law review in France
- May: Dr Girot invited to become a member of the Sedona Conference Working Group Series (WGS)
- 28 May: Publication of ABLI’s Comparative Table and Analytical Review on the laws and regulations on cross-border data transfers in 14 Asia-Pacific jurisdictions
- 22 June: Article on ABLI's Comparative Review "Transferring Personal Data in Asia" published in the Summer issue of Privacy Laws & Business International Report
- 30 June: Virtual program for the IAPP Summit Sessions, China Chapter, on "Privacy awareness redux: How to promote privacy from governments to employees"
- 16 July: webinar on "Data Protection Trajectories in ASEAN" with Jj Disini and Philippines Privacy Commissioner Raymund Liboro, Digital Transformation Thursdays hosted by Disini Law Office
- 3 August: Announcement of the selection of ABLI's Data Privacy Project to be showcased at the 3rd edition of the Paris Peace Forum
- 27 August: Op-ed Cross-border data protection needs less formal, bottom-up approach by Dr Girot published in the Business Times
- 22 September: Panel discussion on "Doing Digital Business Beyond the Beltway and Brussels’ at the American Bar Association Virtual Annual Conference
- 29 September: ABLI organises and chairs the session "Converging Data Protection Approaches" at TechLaw.Fest 2020
- 21 October: Dr Girot speaks on a session on Asian privacy developments hosted by InfoGovernance ANZ, a community of information governance professionals in Australia and New Zealand
- 12 November: ABLI's Data Privacy Project showcased as "one of the 100 solutions to bounce back from Covid-19" at the 3rd edition of the Paris Peace Forum
- 13-15 November: ABLI participates in Global Privacy Assembly (GPA) 2020
- 15 November: ABLI publishes an updated version of its Comparative Table on the laws and regulations on cross-border data transfers in 14 jurisdictions
- 17 November: IAPP Web Conference - Changing Needs, Changing Laws: The Origin and Impact of China’s draft Personal Information Protection Law
- December: Virtual Workshops on Data Flows in Philippines and Thailand organized by the World Economic Forum in the context of the “Digital ASEAN” program
- 9 December: Dr Girot contributes international perspectives at a workshop on "Best Practices in Personal Data Protection in the Digital Environment", co-organised in Hanoi by the United Nations Development Programme, EU Delegation in Vietnam and the Ministry of Public Security of Vietnam
- 17 December: Dr Girot contributed to APEC Privacy Roundtable organised by Microsoft, the National Center for APEC, and BSA l the Software Alliance to explore options to strengthen privacy regulatory coherence in APAC for the APEC 2021 Agenda
- 20 December: article “Data Transfers after Schrems II: views from the Asia Pacific” co-authored by Dr Girot, Olga Ganopolsky (Maquarie, Sydney), and Mark Parsons (Hogan Lovells, Hong Kong) published in Privacy Laws & Business International Report, December 2020, www.privacylaws.com.
- 28 March (Jakarta, Indonesia): Panel discussion on personal data protection organised by K&K Advocates and the Ministry of Communication and Informatics (Kominfo)
- 29 March: Presentation of the Project at a meeting with the ASEAN Secretariat
- 24 May (New Delhi, India): Meetings with Justice BN Srikrishna, chair of the Working Committee on the Draft Data Protection Bill of India and the Ministry of Electronics and Information Technology (MeitY)
- 25 May (New Delhi, India): Session chair at the "Privacy in the Digital Age" conference organised by the European Commission and the Centre for Internet and Society (CIS)
- 5 June 2018 (Beijing, China): Speaker at the 2018 Annual Forum of the Research Alliance for Data Governance and Cyber Security, Peking University
- 25 July 2018 (Singapore): Chaired session "Pathways to Convergence in Asian Data Protection Law" at IAPP Asia Privacy Forum 2018
- 26 July 2018 (Singapore): Chaired the first session "Digital Economy and its Impact on the Law' at the ABLI-UNCITRAL Emergence Conference
- September 2018: Dr Girot co-authored the World Bank Group’s 2018 Digital Report on the Digital Economy in ASEAN (released in March 2019) aimed at supporting ASEAN governments’ policies on disruptive technology and the digital economy
- 26 September: "Regulation of Cross-Border Transfers of Personal Data in Asia" is referred to by the Supreme Court of India in its landmark judgment on the constitutionality of India's Aadhaar system
- 28 September (Hangzhou, China): Panel discussion at the 3rd China Conference on Data Security and Privacy Protection organised by Alibaba Data Security Institute and Guiyang Big Data Security Engineering Research Centre (see report by co-panellist Samm Sacks)
- 3 October (Singapore): Panel discussion at workshop "A Future Ready ASEAN: Creating an Inclusive Digital Ecosystem" organised by Singapore Institute of International Affairs, Google and the Ministry of Foreign Affairs
- 26 October (Brussels, Belgium): Panel discussion at a side event on cross-border data flows organised by the Personal Information Protection Commission of Japan on the sidelines of the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC)
- 8 December (Singapore): Panel discussion at "Human Rights and Digital Security", conference on the 70th Anniversary of the UDHR, European Union Delegation to Singapore
The Project considers the regulations in the jurisdictions represented by ABLI's Board of Governors, other Asian and Oceanic jurisdictions which have cross-border controls in place and others Asian jurisdictions which are considering putting such controls in place. That is:
Australia, China, Hong Kong SAR, India, Indonesia, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam.
Consistent with ABLI's Asia-centric focus, 88% of contributors are from ASEAN, East Asia and South Asia—with an additional 12% from Australia and New Zealand. Congruent with ABLI's aim of providing practical guidance, 71% of contributors are practitioners, with an additional 18% from academia and another 12% from a not-for-profit research and policy organisation.
Project Lead and Editor
||Dr Clarisse GIROT is a Senior Research Fellow at the Asian Business Law Institute. Dr Girot was previously Counsel to the President of the French data privacy regulator, Commission nationale de l'informatique et des libertés (CNIL), and prior to that Dr Girot was head of CNIL’s department for European and International Affairs.
- Mr CAI Kemeng, Dentons Beijing Office (China)
- Mr Ken CHIA, Baker & McKenzie - Wong & Leow (Singapore)
- Mr David DUNCAN, Tilleke & Gibbins (Thailand)
- Mr JJ DISINI, Disini & Disini Law Office (Philippines)
- Katrine EVANS, Hayman Lawyers (New Zealand)
- Ms Elonnai HICKOK, Centre for Internet and Society (India)
- Associate Professor Kaori ISHII, University of Tsukuba (Japan)
- Mr Danny KOBRATA, K&K Advocates (Indonesia)
- Mr Justi KUSUMAH, K&K Advocates (Indonesia)
- Mr Peter LEONARD, Gilbert + Tobin (Australia)
- Professor Abu Bakar MUNIR, University of Malaya (Malaysia)
- Mr Kwang Bae PARK, Lee & Ko (Korea)
- Mr Mark PARSONS, Hogan Lovells (Hong Kong SAR)
- Ms Waewpen PIEMWICHAI, Tilleke & Gibbins (Vietnam)
- Ms Graça SARAIVA, Venetian Macau Limited (Macau SAR)
- Mr Amber SINHA, Centre for Internet and Society (India)
- Professor Fumio SHIMPO, Keio University (Japan)
You might also like...
See ABLI's other projects.