OVERALL, IT'S INCONSISTENT
Inconsistent best describes the overall state of data privacy regulation in Asia Pacific countries. The presence of a comprehensive, consolidated data privacy law in APAC countries covers the spectrum - ranging from essentially none, to some of the most exacting.
Regulations are fundamentally similar, but every country's implementation is unique. At the core, most policies cover the same areas, such as the collection and use of personal data, direct marketing consents, and cross-border data transfer etc. But the requirements for compliance can be different for every country. Using the example of direct marketing, one country implements a strict opt-in policy, another is content with opt out, and yet another isn't explicitly stated.
Compliance grows ever more challenging for multinational businesses operating in the region. At the same time compliance becomes more critical as penalties, and the willingness to impose them, increase.
FROM NONE to ONEROUS
Lets take a look at the strength of some regimes in APAC. We'll also see if there were any notable developments in 2014.
Countries with Little or no Consolidated Privacy Law
INDONESIA: In 2013 legislation was discussed, but no action has been taken.
MYANMAR: There are miscellaneous rules and laws addressing some aspects of data privacy but no comprehensive policy.
PHILIPPINES: Legislation came into effect in 2012, but the Commission that would enforce it has not yet been established.
Some laws, and a lull
Vietnam and Thailand have similarities. Neither has a comprehensive policy, but both have significant legislation addressing aspects of data and protection. In both cases there is a draft law under review, neither of which is making any progress.
Tough Guys - Singapore and South Korea have their reasons
South Korean data privacy regulations are generally regarded to be the most difficult in APAC. The regime became even stricter in August 2014 when the Amended Personal Protection Act came into force.
The overarching PIPA is supplemented by many laws specific to certain sectors. The tough enforcement policy includes, among other things, allowing data subjects to bring class action suits. Penalties are quite punitive and include hefty fines and up to 10 years in prison.
This tough stance may be a reaction to a number of devastating and wide spread data breaches over the last 4 or 5 years. A 2011 incident compromised over 70% of the population. In 2014 one attack affected 20 million people, and in another 220 million records with information on 27 million people were stolen and sold.
The comprehensive Personal Data Protection Act came fully into force in July of 2014. The Commissioner has been an active presence from the start, issuing guidance, asking for input, and prosecuting offenders.
Clearly the Commissioner will aggressively enforce the law, and also plans to appoint a panel of experts tasked with investigating any breaches. Penalties in Singapore are stringent and include fines of up to $800,000 US dollars.
Singapore's motivations are not, like South Korea, based on past disasters. Instead, Singapore intends to become the top high tech hub in the region and sees data privacy regulation as integral to achieving that ambition.
The Early Adopters
First to enact comprehensive privacy legislation were Australia in 1988, New Zealand in 1993, Hong Kong in 1995, and Japan in 2003.
Australian law got a facelift in early 2014 when a new Privacy Amendment came into force. The legislation introduced the Australian Privacy Principles which replaced disparate privacy laws with the cohesive Principles.
New Zealand's legislation, modeled on that of the EU, is close enough that the European Commission deemed that it meets the standards of European Law. It is the only APAC country to be put on the short "Whitelist" of countries to receive the endorsement. This means that data can be easily transferred from the EU to New Zealand, and opens further opportunities for trade.
Hong Kong laws did not see much significant change in 2014, after reforms and enhancements in 2012 and 2013. The very active Privacy Commissioner kept Hong Kong in the news however. He is outspoken, and issues a prodigious amount of guidance on facets of the law. He also imposed the first prison sentence on a privacy law offender.
Japan had a lively 2014, with the proposal of significant amendments to the current law. The reforms, the first since enactment in 2003, would strengthen the Personal Information Protection Act. Several high profile breaches in 2014 fast tracked the proposed reforms.
WHAT'S COMING UP in 2015
This year will bring important changes as existing laws mature and new ones are implemented. The influence of the EU model is growing and will continue. The APEC Cross Border Privacy Rules System will continue trying to bring some consistency to privacy across the region. As law makers and regulators gain experience and confidence they will address increasingly complex issues with greater sophistication.