Locations
This article was first published in Data Protection Law & Policy in August 2012.
There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world. Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed. In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet. At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time. So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.
The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance. Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner. So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.
Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia. With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea's new law is not one to be taken lightly. The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google's changes to its privacy policy, which if anything, will raise the authority's standing among its peers.
The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area. Malaysia's Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European. Singapore's approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity. As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country's president and will be fully in force in about a year's time. The Philippines' law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.
This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows. The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale. Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn't quite cut it in a growing number of jurisdictions.
Fortunately, here is where accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world. That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.
Eduardo Ustaran, Partner in our Privacy and Information Law Group at Field Fisher Waterhouse LLP