Database

The transfer of personal information to mainland China is prohibited.

In 2016, Singapore’s Cyber Security Agency proposed to cut off all government computers from the global internet, so that they may only communicate with each other. Employees for whom access to the internet is a fundamental part of their functions, such as communications, human resources and research, can do so but only on separate personal or agency-issued devices. Accordingly, this means that all public administration data is to be held only on local servers owned by the relevant agencies. Although a full public sector air-gap was due to be instituted in May 2017, in March of that year, only a handful of government agencies were cut off from the internet.

An organisation may only transfer personal data outside Singapore if it has taken appropriate steps to ensure that:
- it will comply with the Personal Data Protection Act (PDPA) obligations in respect of the transferred personal data while it remains in its possession or under its control; and
- the recipient outside of Singapore is bound by legally enforceable obligations to provide a standard of protection to the personal data transferred that is comparable to that under the PDPA.
An organisation will be taken to have satisfied the second requirement if the individual consents to the transfer of the personal data to the recipient in that country.

According to the Circular No. 899, offshore outsourcing of bank's domestic operations is permitted only when the service provider operates in jurisdictions which uphold confidentiality. When the service provider is located in other countries, the bank should take into account and closely monitor, on continuing basis, government policies and other conditions in countries where the service provider is based during risk assessment process.

The Bangko Sentral (the Central Bank of Philippines) examiners shall be given access to the service provider and those relating to the outsourced domestic operations of the bank. Such access may be fulfilled by on-site examination through coordination with host authorities, if necessary.

Consent is not required for the transfer of data to third countries, subject to compliance with the Information Privacy Principles. However, both the Privacy Act and the Health Information Privacy Code continue to apply to personal information and health information even when it is transferred out of New Zealand.

The Privacy Commissioner is given the power to prohibit a transfer of personal information from New Zealand to another state, territory, province or other part of a country by issuing a transfer prohibition notice.

New Zealand’s Inland Revenue Service issued a “Revenue Alert” stating that companies were required to store business records in data centers physically located in New Zealand in order to comply with the Inland Revenue Acts.

According to the Federal Law for the Protection of Personal Data in the Possession of Private Parties, domestic and international transfers need the consent of the individual. Additionaly, the data controller must provide the third parties with the privacy notice that was sent to and consented to by the individual. Consent is not required for international transfer:
- if transfer is intra-group;
- if it results from a contract executed or to be executed in the interest of the data owner between the data controller and a third party; and
- in few other circumstances.

The Personal Data Protection Act (PDPA) does not permit a data user to transfer any personal data out of Malaysia. However, the Act offers a set of exceptions, permitting the transfer of data abroad under certain conditions. The transfer is allowed if:
- the data subject has given his consent to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and the data user;
- the transfer is necessary for the conclusion or performance of a contract between the data user and a third party that is either entered into at the request of the data subject or in his interest;
- the transfer is in the exercise of or to defend a legal right;
- the transfer mitigates adverse actions against the data subjects;
- reasonable precautions and all due diligence to ensure compliance to conditions of the Act were taken; or
- the transfer was necessary for the protection the data subject’s vital interests or for the public interest as determined by the Minister.

While officially entered into force in November 2013, the PDPA has not yet been enforced.

All cloud services providers providing services to public institutions must have public data centers located within the country, and must be physically separated from networks serving the general public. Although the guidelines only act as recommendations, in practice, Korean institutions generally follow them. These policies, paired with a Ministry of Science, ICT and Future Planning (MSIP) plan to spread the use of cloud services in e-government, entails an increased localisation of data used in public services.

Despite provisions in its FTAs with EU and US to allow sending financial data across borders, Korea prohibited outsourcing of data-processing activities to third parties in the financial services industry for several years and today certain restrictions still apply. Banks can therefore only process financial information related to Korean customers in-house, either in Korea or abroad and offshore outsourcing is restricted to a financial firm’s head office, branch or affiliates.

In June 2015, the Korea Financial Services Commission has proposed revisions to its outsourcing policies by eliminating its requirements for (1) prior approval for the outsourcing of IT facilities; (2) offshore outsourcing to be restricted to a financial firm’s head office, branch or affiliates (thus permitting use of third parties); and (3) use of a standardized outsourcing contract form (thus permitting customized contracts provided they include certain obligatory terms). Such revisions were implemented in July 2015. Yet, certain conditions for processing abroad still apply today.

If a user's personal information is transferred to an overseas entity, the Article 24-2 of the Network Act requires online service providers to disclose and obtain the user's consent, regarding the following: the specific information to be transferred overseas, the destination country, the date, time, and method of transmission, the name of the third party and the contact information of the person in charge of the personal information held by the third party, the third party's purpose of use of the personal information and the period of retention and use.

The Personal Information Protection Act requires companies to obtain consent from data subjects prior to exporting their personal data.

Korea imposes a prohibition to store high resolution imagery and related mapping data outside the country and justifies this restriction on security grounds. It is reported that the prohibition led to a competitive disadvantage for international online map services, since their locally-based competitors are able to provide several services (such as turn-by-turn driving/walking instructions, live traffic updates, interior building maps) that international service providers cannot.

The National Center of Incident Readiness and Strategy for Cybersecurity’s (NISC) “Common Standards for Information Security Measures for Government Agencies” allows for government agencies to make use of systems that are "isolated" from the internet if necessary. Information on the agencies affected is not readily available. This policy effectively involves the localisation of data used by the public services concerned.

The Act on the Protection of Personal Information (APPI) did not originally restrict the transfer of personal information to foreign countries, but amendments enacted in 2015 and which took effect in May 2017 added restrictions on cross-border data flows. The amended APPI prescribes three types of legitimate transfers of personal information to a third party in a foreign country: (1) transfers to a country that the Personal Information Protection Commission (PPC) has designated as having an acceptable level of data protection; (2) transfers to a third party in a foreign country in circumstances in which actions have been taken to ensure the same level of data protection as in Japan (such as entering into a data transfer agreement imposing obligations on the transferee meeting the requirements of the APPI); or (3) transfers with the data subject’s consent.