By Tim Yu, a cybersecurity and technology policy analyst based in Hong Kong
Over recent years, there has been a concerted effort from Asian regulators to ramp up their data protection regimes. In light of growing concerns ranging from data breaches to transferring personal data, a number of Asian countries – including China, India, South Korea, Vietnam, Malaysia, Thailand, and Indonesia – have either introduced or enhanced existing cybersecurity or data protection legislation.
Many of these Asian regulations have drawn inspiration from the European Union’s General Data Protection Regulation (GDPR) that came into effect in May this year. But some countries extending their reach further than their European counterparts.
In China, a national standard on personal information under the Cybersecurity Law has invited comparisons to the GDPR by expanding upon the definition for personal information, introducing a new concept for ‘sensitive personal information,’ and mandatory consent obligations. Although a ‘recommended,’ non-binding national standard, it contains onerous cross-border data compliance and personal information collection requirements – with companies likely to be de-facto subject to reviews and approvals from regulators. Dr. Hong Yanqing, the lead drafter of the standard, reiterates that the standard was intended to be more permissive than the GDPR in an article (in Chinese here).
An ongoing Indian draft personal data protection bill has proposed GDPR-inspired principles including similar consent-based obligations, restrictions on the handling of personal data, and a requirement that certain sensitive data about Indians be stored locally. Draft policies on e-commerce and cloud computing that are currently being debated within government and industry are rumored to include data localization proposals of their own.
In October 2018, Malaysian authorities announced that it will be updating its data protection laws – with the possibility of modeling it after the GDPR in hopes of cracking down on data breaches. Thailand likewise replicates many of the concepts introduced through GDPR such as “personal data,” “data controller” and “data processor.”
In some respects, Asian regulators are understandably concerned. Recent high-profile cyber-attacks as well as data breach scandals from American tech giants Facebook and Google have only reinforced the view within governments that they are justified in taking a firmer control of their data protection regimes.
Much of the impetus behind these regulations is grounded in the assumption that data privacy and protection will be enhanced if consumer data is kept onshore within a host country’s geographical boundaries. But the adoption of more restrictive policies for Asian data protection regimes is problematic on a number of fronts.
The adoption of sector-agnostic Asian data protection regulations has placed further compliance burdens on businesses (particularly small-to-medium sized enterprises) that may not have the resources to meet different regional standards which are largely fragmented. These can range from specific timeframes in which entities are required to notify authorities if a data breach were to occur to how personal data is defined and processed.
In addition, it complicates the ability of companies to transfer data offshore and can lead to unnecessary operational costs of establishing inefficient in-country data centers. These measures not only impair cross-border data mobility but also reduces overall data security for multinational companies looking to transfer data offshore.
The insistence of regulators for storing data onshore and imposing restrictions on cross-border data transfers has not gone unnoticed by both foreign and domestic business communities operating throughout Asia.
The most notable example is Vietnam’s controversial cybersecurity law. Despite strong objections from several countries including the United States and Canada, the law imposes data localization and cross-border data transfer restrictions by requiring that important data generated collected by offshore entities in Vietnam be kept onshore. The Vietnam Digital Communication Association (VCDA) – citing estimates from a European Centre for International Political Economy (ECIPE) study – stated that the law’s data localization requirements could reduce the country’s GDP by 1.7 percent and 3.1 percent off foreign investment.
The Asia-Pacific Economic Cooperation (APEC) – referencing estimates from the same ECIPE study – highlighted that there is a substantial negative impact in jurisdictions such as Indonesia, South Korea, and China that have enacted or proposed data localization or other barriers to cross-border data flows of an average of 0.7 percent of annual GDP.
In a move seen as a potential counterweight to China’s growing data collection presence, the EU, Japan, and the EU are rumored to be working together to craft rules on cross-border data transfers. In July 2018, Japan became the first Asian country to agree to a reciprocal agreement on data privacy with the EU to recognize each other’s data protection systems as equivalent. According to Bloomberg, the European Commission is also in talks to South Korea for adopting a comparable data protection adequacy deal.
The adoption of formalized mutual data equivalency agreements also raises the question of whether this could set a new precedent for other jurisdictions to adopt similar bilateral frameworks in the future. As GDPR-esque clauses continue to appear across Asian data protection regimes, it remains unclear as to whether other countries – most notably China – will follow suit and acknowledge the EU as a data equivalent country.
In the case of China, the EU is unlikely to grant equivalency due to objections relating to human rights and democratic rule of law. By the same token, Chinese authorities are unlikely to either reciprocate adequacy frameworks with the Europeans, or to become a signatory of the APEC Privacy Framework on Cross-Border Privacy Rules.
For better or worse, Europe’s privacy standards have lent a sense of credibility to Asian regulators who have – in some instances – used the GDPR as a benchmark to justify taking more onerous approaches for their data protection regime as they look to chart their own path forward.