Cybersecurity and data protection laws are changing rapidly across Asia, and companies wishing to avoid losing their business operations in key countries are taking note.
News from China:
In China, non-compliant international businesses are already facing severe consequences for failure to comply with the PRC Cybersecurity Law. In the first few weeks after the law went into force in June of this year, 60 online entertainment news sites were shut down, and 22 people engaged by a global technology giant were arrested. Since then, the situation has remained serious.
The PRC law continues to evolve. While some questions remain, the key message is: do not ignore the PRC Cybersecurity Law. It is now in force, and organizations must comply.
Read on if you:
- Transfer personal information and important data out of China
- Are concerned your organization may be a key information infrastructure operator
- Supply network and cybersecurity products and services to China
- Are unsure if you handle "important data" in or from China
What is now in force?
- The data protection and data security obligations on network operators and key information infrastructure operators (KIIOs) came into force on June 1, 2017
- The supervisory assessment/certification scheme for suppliers of critical network and specialized cybersecurity products and services also came into force on June 1, 2017
Are the new overseas data transfer rules in force?
Not yet. Unofficial sources indicate the lead regulator (CAC) discussed a revised draft of the measures with key stakeholders and proposed toning down some of the more onerous obligations. We await official announcements from CAC.
If and when the Draft Measures come into force, organizations should follow the Draft Guidelines for Data Cross-Border Transfer Security Assessment, which include practical tips on how and when to conduct a self-assessment, practical examples on assessing the sensitivity and level of influence of personal/important data, and solutions to minimize risks.
Am I a KIIO?
While it is difficult to know for sure how to determine this, at this writing, we know that websites and platforms with heavy traffic, operators of data centers, popular online marketplaces, and businesses where a network security incident would have a major societal impact are among those regarded as KIIOs.
Can I still sell my technology products in China?
Yes, but you now need to consider the supervisory assessment/certification scheme for suppliers of critical network and cybersecurity products and services to KIIOs.
What is "important data"?
"Important data" is broadly defined to include information that relates to national security, economic development, or social or public interest. Appendix A of the draft guidelines sets out an 11-page list of examples in key sectors – a useful reminder that the PRC Cybersecurity Law does not just affect personal data and has a wide reach.
Meanwhile, Singapore is proposing significant changes to its data protection law. Here are five top points:
- Data breach notification will in most cases become mandatory
Any data security breach likely to result in a risk of harm to the affected individual must be notified to the Personal Data Protection Commission (PDPC) and the affected individuals. Notification will need to be provided within 72 hours.
These changes are in line with a regional trend towards mandatory breach notification, and are in keeping with similar requirements in the EU, Canada and Australia. Organizations are encouraged to review their internal processes to ensure they have procedures in place for notification and management of data breach incidents.
- Data intermediaries will also be required to notify data breaches
Data intermediaries that process personal data on behalf of an organization must notify that organization if they become aware of any data breach. Organizations will then be required to comply with the breach notification requirements outlined above.
- No need for consent in some cases where purpose of collection is notified
The amendments propose an alternative to obtaining consent for the collection, use or disclosure of personal data where obtaining consent is not practical (provided it would not have an adverse impact on the individual).
- Notice or consent not needed if there is a legal or business purpose
Even more dramatically, neither notice nor consent would be required if the collection, use or disclosure of personal data is necessary for a legal or business purpose. Organizations would only be able to rely on this method when obtaining consent is not desirable or appropriate, and provided the benefit to the public clearly outweighs any negative impact on the individual: a much wider exemption than available in other jurisdictions.
- Data impact assessments required if not relying on consent
Before relying on one of the new methods for the collection, use or disclosure of personal data, organizations need to conduct privacy impact assessments and put in place appropriate measures to mitigate any risks.
The PDPC has yet to issue guidance on how these proposed amendments will work in practice. Meanwhile, Singapore also published new guidance on data sharing, issued a public consultation on a proposed Cybersecurity Bill, and recently submitted a notice to join the APEC Cross-Border Privacy Rules system. Organizations should therefore be mindful that Singapore's laws in the area are developing, and monitor changes.