When Europe’s General Data Protection Regulation (GDPR) came into force in 2018, the framework prompted a global shift in mindset around how firms consider and manage personal data. Now, a little over a year on, with a growing number of national data protection laws also coming into effect, companies in Asia are increasingly emphasising compliance, and careful handling of data.
The root of the data-protection wakeup call in Asia can be mapped largely from GDPR and its stringent measures. The European law, which came into force in 2018, rattled businesses with threats to hand out hefty fines. At the same time, Asian countries have been getting serious about data protection too.
In June this year, Indonesia revealed that it had drafted a new law, the Personal Data Protection Act, that seeks to ensure data storage is safeguarded and consent is gained prior to the sharing of personal data. Meanwhile, India has also made inroads in this area, proposing a data protection law that would require data to be stored and managed locally – something international companies operating in India are attempting to quash. South Korea has long had one of the toughest stances on data privacy in the region, and Vietnam is drafting its own data protection law. And the region’s biggest economy – China - recently introduced a new data protection law in an effort to crack down on the misuse of private data.
All these countries are motivated by personal data privacy protections, which are increasingly topics of note for both businesses and their clients. While data security protection processes have caused ripples and scrutiny in Asia, each change is a symptom of overarching changing attitudes towards the way data is collected, stored and regulated. And companies across the region have been falling in line, making their own practical changes and mapping out their own compliance measures in order to keep up with evolving attitudes towards data protection.
“GDPR is now an essential concern in business dealings and operations, especially given the ever-increasing use of technology and the sheer growth in the amount of data which is collected in any business operations,” says May Lu, a Shanghai-based partner at Simmons & Simmons.
“As a result, companies are paying more attention to GDPR as a relevant concern at the outset of doing business and as a key element of their overall compliance functions, as opposed to it being a standalone issue or afterthought,” she says.
Additionally, the leverage held by consumers and clients can’t be overlooked when it comes to businesses’ strategic planning. “The emergence of the new data privacy legislation in China has been driven in part by consumer concerns and complaints. News reports regarding leaks and hacks, whether in China or (more often) overseas, emphasise the potential risks, significant cost and damage to a business. Accordingly, businesses are now extremely alert to this area. Multinationals, in particular, are becoming increasingly aware of the fact that foreign laws such as GDPR in Europe can also have extra-territorial effects which can impact their businesses in China,” Lu adds.
Carolyn Bigg, partner at DLA Piper, says that during her decade in the Asian region, she’s witnessed changing attitudes and practicalities around data protection mechanisms. While she feels that such laws do have an impact on perceptions and actions around data security, Bigg notes that GDPR itself is not a silver bullet solution for Asia.
“GDPR is driven by individual privacy rights. It’s really restrictive about what businesses can do whereas in Asia we now have around the region some strong and actually sometimes stronger than GDPR requirements around cybersecurity, but because of cultural and geopolitical and other reasons the cybersecurity and data protection laws are business-friendly and pragmatic,” she explains.
Despite China typically being considered a challenging country for compliance due to its multiple regulatory bodies and ambiguity of some legislation, the economic giant has in recent years pushed through a number of clear reforms focused on data security and maintenance. In Bigg’s opinion, it has “some of the strictest rules,” when it comes to storing and managing data.
With new regulations and guidance being issued at an “almost weekly” rate now, lawyers are playing an essential role in supporting firms to map out the way they tackle their data security needs and requirements. While Bigg concedes there remains uncertainty around some fundamental issues, particularly around overseas data transfers and in areas relating to some of the information network security, rather than data security, these are expected to become clearer and more explicit over time.
To be functional, firms operating in China need to continue to monitor these developments and ensure that they make technological and operational changes accordingly. “It’s definitely something that international businesses and local businesses need to be turning their attention to if they’re not doing so already,” Bigg suggests. “The businesses that are getting prepared and planning ahead to help manage the uncertainty, they’re the ones that are well placed to manage these compliance challenges,” she adds.
The businesses community has been following these changes carefully and adjusting behaviours accordingly. Lu at Simmons & Simmons has noticed that businesses in the region “generally are paying far more attention to data privacy and compliance rules in China.”
“This reflects the significant discussion and evolving regime in China itself, but also the fact that this is a global issue with changes and high-profile cases in other jurisdictions. Multinationals operating in China, in particular, need to consider their local strategy alongside their global strategy,” she says of managing and protecting data.
“In response, we sense that many companies have audited their current coverage and established or updated their rules regarding data privacy and compliance,” Lu explains, adding that companies in certain industries with more specific needs, “need to be especially alert on an ongoing basis to ensure compliance.”
While a blanket GDPR-style regulatory framework is unlikely to come into place across Asia anytime soon, as businesses grow more accustomed to regulatory requirements and various compliance demands across different markets, the benefits and commonplace compliance requirements are gaining traction.
Within China, certainly, further regulations are on the horizon. “China is rapidly evolving, and we fully anticipate that rapid evolution to continue over the coming months and possibly even years,” Bigg says. But in other markets, there may be generally something of a slow-down in data privacy reform, she estimates. However, there is one area where further change can be expected. Akin to GDPR processes, data breach requirements are likely to be rolled out across Asia as data grows more protected and privacy becomes an increasingly valuable commodity.
Thinking ahead, Lu feels that there has been something of a cultural shift by companies towards data privacy and data storage in Asia. “Companies, in general, are far more aware of the risks and requirements. Companies now do not under-estimate the potential adverse impacts of data leaks and hacks. Aside from regulatory concerns, there is the significant reputation risk arising from such situations and the administrative and financial cost of handling these,” she warns.
[For a full breakdown of China’s data protection law, please click HERE]
To contact the editorial team, please email ALBEditor@thomsonreuters.com.