Navigate the risks. Data privacy regulation in Asia. Freshfields Bruckhaus Deringer llp

Transcription

1 Navigate the risks Data privacy regulation in Asia

2

3 Contents Introduction 2 Data privacy laws: the region at a glance 3 People s Republic of China 3 Hong Kong 8 Japan 12 Singapore 14 Vietnam 15 Other Asian jurisdictions 17 For further information please contact Connie Carnabuci 11th floor Two Exchange Square Hong Kong T F E connie.carnabuci@freshfields.com Mark Parsons 11th floor Two Exchange Square Hong Kong T F E mark.parsons@freshfields.com Junzaburo Kiuchi Akasaka Biz Tower 36F Akasaka Minato-ku Tokyo T F E junzaburo.kiuchi@freshfields.com Tony Foster #05-01 International Centre 17 Ngo Quyen Street Hanoi T F E tony.foster@freshfields.com freshfields.com February

4 Introduction Data protection regulation is a critical business issue across virtually all sectors of commercial activity. The electronic age has seen an exponential growth in the volume of personal data used in business, to the point that most enterprises view their customer databases as being among their most valuable assets. Efficient organisation and processing of employee data and other personal data, whether onshore or offshore, can also be key to business success in an increasingly cost-conscious environment. Asia is no exception. And while, historically, perceptions have been that Asian lawmakers are less concerned with regulating data privacy than their western counterparts, recently there has been an explosion of new laws and regulations in this area as emerging markets mature and Asian companies become increasingly reliant on advanced information systems and electronic marketing to do business. Some Asian jurisdictions have brought in laws that target excesses of electronic marketing. Other legislative initiatives appear to be directed at raising national standards of data privacy compliance to make domestic services industries in IT and business process outsourcing more attractive for multinational corporations seeking to offshore in the region. Whatever the reasons for regulatory developments in this area, the result is that Asia now has an ever-shifting regulatory landscape that has yet to stabilise. The consequences for legal counsel in regional and multinational businesses are that they often face the difficulty of having to understand and comply with a raft of fragmented local laws and regulations that lack consistency and defined application. Our team of data protection and privacy specialists works with international and local companies alike in managing this risk and compliance across the region. We draw from our vast experience in more advanced markets, such as the European Community, to deliver international best practice that gives context to new legal requirements as they emerge, whether it is in the context of mergers and acquisitions (M&A), marketing, e-commerce or data processing operations. This guide outlines the principal features of data protection laws in some key jurisdictions across Asia. 2 February 2012

5 People s Republic of China To date, there is no comprehensive data privacy regulation in the People s Republic of China (PRC), nor is there a regulatory body in the PRC with principal responsibility for data privacy issues. However, in January 2011, the PRC Ministry of Industry and Information Technology (MIIT) published a draft national standard for information security technology that would, if enacted, implement principles-based data privacy regulation in the PRC for the first time. It remains to be seen how the PRC s data privacy regulatory environment will develop. But given the State Council s ambitions to foster an information society, it is likely that a comprehensive regime will be needed and data privacy will develop into an important regulatory area in the PRC. The concept of personal privacy already has some recognition in the PRC constitution and in the criminal law. A range of legal protections relating to privacy can be found scattered throughout various laws, regulations, rules and measures, such as the 2010 Tort Law, banking, insurance and telecommunications regulations, and laws and regulations dealing with specific areas of activity, such as employment, consumer protection and e-commerce. The PRC constitution The PRC constitution recognises the protection of personal dignity and the freedom of communications and privacy of communications as fundamental rights. Although the constitution does not expressly define personal dignity, it is generally accepted, with support from judicial interpretation, that this right includes an individual s right to privacy. It should be noted that a citizen s rights to freedom of communications and privacy of communications are not absolute. These rights are subject to the needs of national security and criminal investigations. In other words, the relevant authorities are permitted to collect personal information from organisations or individuals and to intercept and censor private correspondence. The PRC Tort Law The PRC Tort Law, which took effect in 2010, includes a general right to privacy as an actionable civil right. The precise scope of this right, however, remains to be determined judicially. Other articles in the Tort Law focus on specific aspects of data privacy in particular contexts. Article 36 provides that internet content providers may be liable for privacy infringements and provides complainants with rights to require internet service providers (ISPs) to take down infringing content, failing which the ISP may be exposed to the same liability as the infringing content provider. Article 62 provides that hospitals and other medical facilities must observe a patient s right of privacy, and will attract tortious liabilities if medical records are disclosed without the patient s consent. The PRC Criminal Law The 7th Amendment to the PRC Criminal Law, promulgated in February 2009, created new offences in relation to the misuse of personal information, specfically in relation to: (i) the disclosure of personal data by state officials or by officials in financial, telecommunications, transportation, educational or medical institutions; and (ii) the theft of personal data by individuals. In both cases, the offence only applies in severe cases. Offences are punishable by fine, imprisonment or both. There have been press reports of a number of prosecutions and convictions under these offences, mainly in relation to the misuse of personal data in connection with some other unlawful act, such as identity theft or extortion. The draft national standards In January 2011, the MITT published a set of draft national standards for personal information security in the context of the use of IT systems and, in particular, the internet. The standards are principles-based, drawing on the basic structure of EU Directive 95/46/EC. Seven principles are described: February

6 Principle 1: principle of specific objectives The first principle requires that data only be processed for specific, clear and reasonable purposes. Principle 2: principle of openness and transparency The second principle requires that data subjects be informed, in a clear and appropriate manner, of the personal data being processed, the purposes for which the data will be processed, the period for retention of the data, the administrator of the data s personal data protection policy, the data subject s rights in relation to the data and the administrator s officer responsible for data privacy compliance. Principle 3: principle of quality assurance The third principle requires that data be kept accurate, complete and up to date. Principle 4: principle of security and protection The fourth principle requires that necessary technical and organisational measures be applied to data processing for the purpose of preventing loss, disclosure and damage. Principle 5: principle of reasonable processing The fifth principle requires that personal data be processed in a reasonable manner and that, in particular, data not be collected covertly or indirectly. Once the permitted purposes for processing have been completed, no further processing should take place. Principle 6: principle of informed consent The sixth principle prohibits data processing without the data subject s informed consent. Principle 7: principle of accountability The seventh principle requires that responsibility for compliance measures be expressly provided for and enforced in practice to ensure compliance is achieved. The standards go on to outline specific data subject rights, such as the right to require data users, termed as data administrators, to disclose their holdings of personal data, the right to have inaccurate or incomplete personal data corrected and the right to prohibit further processing. Data subjects will have a right to be informed of thirdparty processing of their data. This requirement goes beyond the European OECD framework-based precedent, which only requires notification to the data subject if the transfer is to a third-party data processor located overseas. Under the standards, personal data exports are only permitted if there is specific legal or regulatory permission or the consent of the competent authority in the data administrator s industry. The standards also require data administrators to agree to contractual undertakings to protect the security of personal information during the course of processing. Data administrators must adopt necessary management and technical measures to protect the security of the personal information against being searched or disclosed without authorisation, lost, divulged, damaged or tampered with, and must erase personal information when processing is complete. Meanwhile, data processors will be required to adopt necessary measures to protect the security of the data that they process. To date, the MIIT s draft national standards remain uncertain in their intended legal effect. Notably, the standards do not prescribe any remedial or punitive measures for non-compliance. It is clear, however, that they represent a dramatic step forward in the thinking of the PRC government in relation to data privacy matters, and set the stage for further reaching legal reforms in the future. Sector-specific laws and regulations Banking Under the 1995 Commercial Banking Law, PRC-incorporated and foreign banks have a general duty to protect their customers confidential information, irrespective of whether they are individuals or institutions. The banks also have a right to refuse to provide customer information to third parties unless required by law. 4 February 2012

7 Other more recent PRC regulations, for example, The Administrative Measures on the Identification of Customers Identities and The Preservation of Customers Information and Transaction Records, also impose a general obligation of confidentiality on all financial institutions with respect to personal customer and transaction information. The term financial institution is widely defined and any such entity must comply with the regulation s provisions on the retention of customer and transaction records, as well as with obligations requiring administrative and technical measures to be put in place to prevent the loss, damage or disclosure of customer and transaction information. Although the above laws and regulations remain relatively underdeveloped, it seems likely that both the China Banking Regulatory Commission (CBRC) and the PRC courts would consider that a bank s duty of confidentiality extends to information about any customer or transaction, regardless of the type of service provided or the type of customer. According to the Measures for the Supervision and Administration of Credit Cards of Commercial Banks, promulgated by the CBRC in 2011, a bank must not engage in credit card business with online merchants that do not publish customer privacy policies. Insurance Under The Insurance Law of the PRC, insurers and reinsurers must keep policy holders personal information confidential. Under the Regulations on the Basic Services of Personal Insurance Businesses promulgated in 2010 by the China Insurance Regulatory Commission (CIRC), insurance companies are obliged to establish systems to protect the privacy of policy-holders and policy beneficiaries and are obliged not to divulge personal information about these individuals without their consent. The same prohibitions apply to insurance intermediaries and brokerage houses under the Regulatory Provisions on Insurance Brokerage Agencies Order No. 6 of Telecommunications Telecommunications companies have a non-disclosure obligation in relation to any information transmitted by a user of telecommunications services over their networks. The PRC Telecommunication Regulations explicitly provide for the freedom of a telecommunications service user lawfully to use telecommunications services. It also provides that communications security shall be protected by law. Telecommunications service operators and their employees may not disclose the contents of a telecommunications message unless such disclosure is authorised by the message creator or requested by either public or state security bodies or the people s procurator in the process of carrying out their statutory duties (such as protection of state security or investigation of a criminal offence). Employment Since 1 January 2008, employers have been required to keep employees personal information confidential under the Provisions on Employment Service and Employment Management. Employers must also obtain employees written consent before disclosing their personal information, or any intellectual property created in the course of their employment, to third parties. Consumer protection Although there are no privacy or data protection provisions in the PRC consumer protection law at the national level, some regulations exist at the provincial level on the protection of consumers information. Most of these (such as The Shanghai Consumer Interests Protection Regulation announced by the Shanghai People s Congress in 2003) set out two requirements for collecting personal information from consumers: personal information collected from consumers may not be disclosed to any third party without the consent of the relevant consumers; and merchants may not collect personal information unrelated to their products or services. February

8 Credit information The Provisional Rules on Management of Individual Credit Information Databases, communicated by the People s Bank of China (PBC), which came into force in October 2005, govern the collection and use of personal credit information in China. The provisions apply to the PBC and commercial banks, and their employees, but are limited to the individual credit information held in databases established by commercial banks under the PBC s instruction. Individual credit information includes basic personal information, personal credit information, debit transaction information and other information that would reflect an individual s personal credit standing. Under these provisions, all relevant commercial banks are required to maintain the accuracy and completeness of a customer s data and to implement security measures to ensure that the data s confidentiality is maintained. Except with the consent of the individuals concerned, banks may not disclose or transfer individual credit information to third parties. Outsourcing As part of its efforts to help boost the domestic IT services and outsourcing industries by meeting concerns about data security standards in the PRC industry, in 2010 the Ministry of Commerce brought into force a set of measures intended to regulate the processing of business data in the PRC services industry. The measures oblige service providers to take specific steps to improve information security standards, such as establishing information protection teams, developing and implementing formal data security policies and procedures and obliging employees to enter into written confidentiality obligations. The measures do not, however, impose any specific information security standards or designate any government agency as responsible for their administration. Outsourcing by PRC businesses is subject to sector-specific restrictions. For example, banks are required to obtain CBRC and board approval for the outsourcing of customer databases. Bank customers must also be notified of these arrangements. Importantly, these regulations apply to both foreign bank branches and PRC-incorporated subsidiary banks. Similarly, insurers are subject to CIRC administered regulations which prohibit transfers of policy-holder data without consent, although this consent should be obtainable in advance through standard insurance application and policy terms. E-commerce and electronic messaging The PRC has enacted several laws and regulations on the collection and use of personal data over the internet. These laws recognise an individual s right to freedom of communications and privacy of communications when using the internet. However, they are generally subject to the authorities rights to collect, intercept and censor personal information or private correspondence if it is deemed necessary. Such intervention may arise on the grounds of state security or in relation to a criminal investigation. A brief overview of the key legislation is set out below. The Administration of Internet Electronic Messaging Services Provisions provide that electronic messaging service providers, such as suppliers of internet chat rooms or bulletin boards, must keep users personal information confidential and not disclose it to a third party without the user s prior consent. Further, The Announcement Service Regulations require electronic messaging service providers to establish security measures and systems to protect user information. Any person whose personal information has been disclosed or used without authorisation may seek compensation from the electronic messaging service providers for damage or loss suffered as a result of such disclosure. The Several Provisions on the Supervision of the Market Order of Internet Information Services prohibit certain ISP practices, including gathering, using or supplying to others the user s personal information without their consent. 6 February 2012

9 Most PRC laws on the use of computers and the internet state that organisations and individuals are prohibited from infringing the freedom or privacy of s between citizens. Specifically, The Circular Regarding Standardisation of the Dispatch of Commercial Information by prohibits internet users from sending spam communications. The Maintenance of Internet Security Decision states that unauthorised interception, modification or deletion of another person s s or digital information constitutes an infringement of the individual s right to freedom and privacy of communications and attracts criminal liabilities. Website content and cookies Under The Internet Content Provision Administration Measures, commercial internet content providers (ICPs) are required to implement comprehensive security measures and systems to protect user information. However, ICPs and internet service providers (ISPs) are obliged to disclose personal information if there is a national security threat or criminal investigation or if they discover the publication of prohibited content on their websites. Importantly, although these rules apply only to ICPs and ISPs with servers in the PRC, an offshore website operator that self-imposes its own online privacy policy through its subscription agreement with its end users will be bound by its own agreement. The offshore website operator may be liable to an end-user based in China for breach of contract if it fails to comply with its online privacy policy, even if its servers are offshore. The PRC has not enacted any specific laws on the use of cookies. Website operators may install cookies on a user s system in the PRC without obtaining consent. Protection of lawful interests A number of computer and telecommunications-related laws prohibit, in very general terms, organisations and individuals from jeopardising citizens lawful interests. These laws seek to protect individuals from the unauthorised disclosure of personal information, the unauthorised intrusion of personal computer systems or telecommunications networks and the infringement of their freedom and privacy in transmission. Hong Kong Data protection in Hong Kong is governed by the Personal Data (Privacy) Ordinance (the PDPO), which took effect in December The Office of the Privacy Commissioner for Personal Data is responsible for overseeing the PDPO s administration. The PDPO draws from the basic structure of EU Directive 95/46/EC, setting out a series of principles that data users (ie the owners of personal data) must adhere to in processing personal data. The PDPO was subject to a comprehensive review by the Hong Kong government s Bureau of Constitutional and Mainland Affairs. The review, originally intended to examine and increase the penalties for making unsolicited marketing telephone calls, was punctuated by a high-profile enquiry into Octopus Cards and certain Hong Kong banks over cross-marketing activities, in which Octopus was found to have sold data to insurance companies for HK$44m. The subsequent Personal Data (Privacy) (Amendment) Bill 2011 (the 2011 Amendment Bill) published in July 2011 features wholesale amendments to the cross marketing and direct marketing provisions of the original PDPO that will increase the existing penalties and create new offences. Scope of the PDPO The PDPO incorporates a very broad definition of personal data broadly consistent with EU Directive 95/46/EC, except that there is no concept of sensitive personal data receiving heightened regulatory protection. Personal data is defined as any processable data that relates directly or indirectly to any living individual and from which that individual s identity can be ascertained. February

10 Data protection principles The PDPO requires that data users comply with six data protection principles: Principle 1: fair collection and processing The first data protection principle requires that data subjects be informed of the purpose(s) for which their data will be used and requires that the data be used only for these purposes or for a purpose directly related to these purposes. Any collection of personal information must be done in a lawful and fair manner and the data collected must not be excessive having regard to the lawful purposes. Data subjects must also be told who the collected data may be transferred to, their right to access and request data correction and the contact details of the person to whom their requests may be made. Principle 2: accuracy and duration of retention of personal data The second principle requires that data users take all practicable steps to ensure that the personal data it holds is accurate and is not kept any longer than is necessary for the original purpose of collection or a directly related purpose. Principle 3: use of personal data The third principle requires that data users only use personal data for purposes for which it was collected or any purpose directly related to the original purpose. Subject to some specific exemptions in the PDPO, any additional processing requires the data subject s consent. Principle 4: security of personal data The fourth principle requires that data users take all practicable steps to protect personal data against unauthorised or accidental access, processing or deletion having regard to the nature of the personal data and the harm that could result; the physical location where the data is stored; the security measures used in the storage of the data; the measures taken for ensuring the integrity, prudence and competence of people accessing the data; and measures taken to ensure the secure transmission of the data. Principle 5: disclosure of personal data processing The fifth principle obliges data users to take all practicable steps to inform data subjects of the kinds of personal data it holds, the purposes for which the data is being held and the policies and practices the data user has in place for handling that data. Principle 6: data subject access rights The sixth principle gives data subjects the right to ascertain whether or not a data user holds personal data about them, request access to that data (for a reasonable fee and in a reasonable manner) and request corrections to their personal data. Data users may refuse to comply with a request for access or a correction, but must be prepared to give reasons for doing so. Exemptions from the data protection principles The PDPO prescribes some specific exemptions to the requirements of the data protection principles where data is processed in areas such as national security, defence, the prevention or detection of crime, financial regulation, legal professional privilege and the reporting of news. International transfers The PDPO contains provisions regulating the transfer of personal data from Hong Kong, but these provisions have not yet been brought into force. The Bureau of Constitutional and Mainland Affairs comprehensive review of the ordinance launched in 2009 did not consider any proposals to implement these provisions, making it unlikely that they will be brought into force any time soon. Under these provisions, transferring personal data to places outside Hong Kong would be prohibited unless one or more conditions are met. These conditions include the data subject s written consent having been obtained or the data user having reasonable grounds to believe that the personal data will be transferred to a jurisdiction that provides a similar degree of personal data protection to that provided in Hong Kong. 8 February 2012

11 Although the data export restrictions have not been brought into force in Hong Kong, it should be noted that the six data protection principles above continue to apply to exported data. For example, exported data may only be used for the purposes for which it was lawfully collected (principle 3) and data users must take steps to ensure that exported data is securely held (principle 4) and data subject access rights remain exercisable (principle 6). Under the 2011 Amendment Bill, the PDPO will have specific provisions directed at cross-marketing, when personal data is sold or otherwise made available to third parties under commercial arrangements. Businesses will not be allowed to undertake such activities unless and until they have disclosed in writing the kinds of personal data being transferred, the classes of persons to which it is being transferred and the types of goods and services that will be cross-marketed. This will see the end for generally worded references to our partners or selected companies receiving transfers of personal data under cross-marketing arrangements, to be replaced with specific references to the nature of the transferees business: eg financial services companies or telecommunications service providers. Businesses that carry out cross-marketing must make available at no cost an opt out procedure that allows data subjects to refuse to allow their data to be transferred. Businesses will be free to use personal data in the way in which they have notified data subjects if they do not receive a reply to the contrary from the data subject within 30 days. Data subjects will, however, also have the right to object to cross-marketing at any time thereafter. The 2011 Amendment Bill also introduces a stepped-up regime for direct marketing (ie marketing by businesses to their own customers). New, detailed disclosure requirements will be similar to those required for cross-marketing, so that data subjects must be informed of their right to opt out on first use of their personal data for marketing purposes and may also opt out at any time thereafter. Codes of practice and guidance The Privacy Commissioner has published a number of codes of practice and written guidance on the processing of personal data in areas such as direct marketing, employment practices, the use of Hong Kong identification card data and credit reference checking. Enforcement The PDPO does not make the contravention of a data protection principle an offence, but does prescribe that the breach of an enforcement notice issued by the Privacy Commissioner is an offence punishable by imprisonment and/or by fine. There is a widespread perception that the Privacy Commissioner s enforcement powers are too weak to be an effective deterrent. The 2011 Amendment Bill will increase the existing penalties and create new offences as outlined above, with criminal prosecution becoming a parallel enforcement mechanism alongside the Privacy Commissioner s administrative powers. A new offence of disclosing personal data without the data subject s consent with the intention to benefit from doing so or to cause loss to the data subject will be introduced, as well as a related offence of disclosing personal data without consent in circumstances that cause psychological harm to the data subject, irrespective of there being any intention to do so. Both these new offences will attract fines of up to HK$1m and up to five years imprisonment. Similarly, the transfer of personal data in contravention of the new cross-marketing restrictions will be an offence punishable by fines of up to HK$1m and imprisonment for up to five years. Failure to comply with the new direct marketing provisions will be an offence punishable by fines of up to HK$500,000 and imprisonment for up to three years. Bank secrecy The common law principles on confidential customer information separately apply to personal data (and other confidential customer information) held by Hong Kong banks. Drawing from the Tournier principles February

12 under English common law, Hong Kong law implies a term in every contract between a bank and its customers (whether they be individuals or institutions) that the bank must keep the customer s information confidential and use it only for purposes within the scope of the customer contract. The exceptions to this rule are as follows: the bank must disclose customer information if it is compelled to by law for example, if a court has ordered disclosure. This exception applies only if such disclosure is required by local law (as opposed to foreign law); the bank must disclose customer information if the public interest requires it; the bank may disclose customer information if its interests require it; and the bank may disclose customer information if it has the express or implied consent of the customer to that disclosure. The interests of the bank exception is particularly controversial. Traditionally, the exception was interpreted narrowly and disclosure was allowed only if it fell within the interests of ordinary banking practice and the ordinary course of banking business. However, the Hong Kong Court of Final Appeal has ruled that the third exception should have a broader application, particularly if a bank needs to disclose customer information to defend itself in court proceedings. The Tournier principles are only implied contractual terms and can therefore be overridden by express contractual terms to the contrary. Outsourcing The PDPO s data protection principles apply to outsourcings generally. Data users will continue to be responsible for their data and compliance with the data protection principles in any outsourcing arrangement. Data processors will not be directly regulated, but data users will be required to secure undertakings from data processors that will prevent unauthorised or accidental access, processing, erasure, loss or use of personal data. Financial institutions regulated by the Hong Kong Monetary Authority (HKMA) will be required, in addition to meeting bank secrecy requirements, to comply with section (SA2) of the HKMA s Supervising Policy Manual, which prescribes risk management requirements for material outsourcings, including measures in relation to information security. The Hong Kong Commissioner of Insurance has recently issued similar material outsourcing guidelines, for licensed Hong Kong insurers, that are already being applied in practice. These guidelines also deal specifically with information security matters. The Hong Kong Securities and Futures Commission has recommended compliance with the Principles on Outsourcing of Financial Services for Market Intermediaries issued by the International Organization of Securities Commissions, which also incorporates specific information security requirements. Regulation of unsolicited electronic messages The Unsolicited Electronic Messages Ordinance (the UEMO) came into force in It covers using improper techniques to communicate with multiple recipients. It seeks to regulate, among other things, the use of address-harvesting software to capture addresses for sending commercial electronic messages (CEM) without the recipients consent and techniques such as dictionary attacks, commonly employed by spammers. The UEMO prohibits a number of activities related to circulating CEMs. The maximum penalty for such offences is a fine of up to HK$1m and five years imprisonment. The rules for sending CEMs include prohibitions on certain types of CEMs for example, prohibitions on CEMs that do not allow recipients to opt out of receiving further messages or CEMs that 10 February 2012

13 are sent to recipients who have already asked to unsubscribe. CEMs that are made from withheld telephone or fax numbers are also prohibited. Since 2007, the Telecommunications Authority has established three do-not-call registers for members of the public to register their phone and fax numbers. These registers serve to strike a balance between the recipients interests and the commercial interests of senders of CEMs by allowing recipients to notify senders that they do not wish to receive such messages and by providing senders with a convenient means of determining whether they are allowed to contact certain people. Senders can, for a small fee, apply for access to the information in do-not-call registers by registering with a government web portal online at Employment regulation The Employment Ordinance regulating employment in Hong Kong does not contain any provisions dealing specifically with the use of information collected from employees (although it does stipulate rules on retention of employment records). The requirements of the PDPO will, of course, apply to all aspects of employment. The Privacy Commissioner has published an Employment Practices Code, which provides detailed regulation of data privacy in this context, including areas such as the monitoring of employees electronic communications. The Employment Practices Code does not have force of law but a contravention of any of its requirements will be presumed to give rise to a breach of the PDPO unless evidence is raised to show that the relevant requirement of the PDPO has been complied with. February

14 Japan Data privacy legislation was first introduced in Japan in 1988 to protect computer-processed personal data held by administrative bodies. A comprehensive privacy law, the Personal Information Protection Law (the Act), was later introduced, in May 2003, in response to the increasing pressure on the Japanese government to protect personal data through national legislation rather than industry self-regulation. The Act, which is the first of its kind in Japan, seeks to protect living individuals rights and interests. It does this through provisions that regulate how national government, local governments and private sector businesses handle information. The provisions on private businesses came into force in April 2005 and are the focus of this section. The regime operates through the interplay between national legislation and the numerous detailed guidelines published by government ministries for the business sectors for which they are responsible. A business handling personal information (BHPI) must comply with its obligations under the Act and refer to and observe the relevant sector or industry guidelines. BHPIs are defined as any business persons or entities that hold personal information about at least 5,000 individuals for business purposes. For example, holding employee information for internal human resources purposes or holding customer information for sales or marketing purposes. The Act distinguishes between the following three classes of information. Personal information Personal information includes any information about a living individual that distinguishes that person from other individuals. It may include a person s name, photograph, date of birth and even their address (if it includes the individual s name, employment or other information which allows for the data subject s identification). Under the Act, a BHPI must specify the intended use of the personal information it holds. The relevant associated guidelines published by the Ministry of Economy, Trade and Industry confirm that this obligation will be met only if the individuals concerned are informed of the precise purpose for which their personal information will be used. For example, merely stating it is for business purposes will not be sufficient. If the purpose of use changes, the subsequent purpose must be reasonably related to the original purpose. On acquiring new personal information, BHPIs must also either promptly notify the individual concerned of the purpose of use or publicly announce it. The guidelines for the finance sector, published by the Financial Services Agency, provide that such notification must be in writing and that any public announcement must be in a manner appropriate for the business concerned. The act also includes restrictions on how BHPIs may use personal information. There are some qualifications to these restrictions, such as if an individual s consent has been obtained in advance. Personal data Personal data is defined as personal information stored in a database. Database is broadly defined as a collection of information arranged so that it can be retrieved by a computer or structurally constituted to facilitate easy retrieval, such as a list. The Act requires BHPIs to maintain sufficiently accurate and up-to-date personal data to achieve the purpose of use. Some government entities including the Financial Services Agency, the Ministry of Justice and the Ministry of Internal Affairs and Communications have published guidelines requiring BHPIs in their respective sectors to set time limits for retaining personal data and to return or dispose of it once the relevant time limit has passed. BHPIs must also adopt measures necessary and appropriate for preventing the unauthorised disclosure, loss or destruction of personal data and the relevant guidelines list requirements for improvements to 12 February 2012

15 internal security systems. The Act also seeks to ensure the security of personal data by obliging BHPIs to provide the requisite level of supervision to all employees handling personal data. More detailed guidance on the above obligations in the context of personal data held for employment purposes has been published by the Ministry of Health, Labour and Welfare. A key rule within the Act and related guidelines is that, subject to certain exceptions, BHPIs cannot release personal data to third parties without the consent of the individual concerned. If the BHPIs have entrusted personal data, in whole or in part, to a third party, they must monitor and supervise the third party to ensure the safe administration of the information. Held personal data Held personal data is personal data held for more than six months that a BHPI has authority to disclose, correct, add to, delete, stop using or stop providing to third parties. Under the Act, BHPIs are required to make certain public announcements for example, through disclosure on websites. This is so that the individuals whose information is held can understand, among other things, the BHPI s identity, the purpose of use of all personal data held and the procedures in place for responding to requests. In addition, the Act details the procedures to be followed if concerned individuals request notification of the purpose of use, disclosure, correction, deletion or cessation of use of their personal data. The act and associated guidelines provide that BHPIs must also establish a complaints-processing system to manage the timely and appropriate handling of complaints. In addition, BHPI s are required by the relevant guidelines to publish a privacy policy and must comply with certain reporting requirements under the Act. If the Act is breached, a relevant minister may recommend to the BHPI that it takes appropriate steps to correct the breach. If the recommendation is not followed and there is a threat of impeding an individual s material interests, the minister can order the BHPI to comply with the recommendation. A person in breach of such an order will be liable to imprisonment for up to six months or a fine of not more than 300,000 (approximately US$3,000). Singapore Although highly regarded for the quality of its communications, data processing infrastructure and data security standards, Singapore does not have, as yet, a comprehensive personal data protection regime. However, following a five-year review, the Ministry of Information, Communication and the Arts has recently announced the government s intention to table legislation in the course of 2012 that would put a comprehensive regime in place. The government published a consultation paper on the proposed regime in September The paper proposes to make the new law consistent with international data protection standards, including the OECD Guidelines and the APAC Privacy Framework, and to apply concurrently with the existing sectoral regulations. It proposes to apply to all organisations in Singapore, except public sector organisations, which will remain subject to their own internal privacy rules and regulations. A Data Protection Commission will be established to oversee compliance with the new law and will adopt a complaint-based approach for investigating cases of non-compliance rather than a more stringent audit-based regime. The Commission will have powers to issue orders for rectification of non-compliance with the law and impose financial penalties of up to SG$1m. Criminal penalties will be imposed on any organisations or individuals that obstruct the Commission in the performance of its duties, mislead the Commission or fail to comply with a rectification order of the Commission. In the meantime, sector-specific laws will continue to regulate personal data use in Singapore. These include the Banking Act, the Statistics Act, the Official Secrets Act, the Electronic Transactions Act and February

16 the Statutory Bodies and Government Companies (Protection of Secrecy) Act. Banking Singapore s Banking Act imposes strict confidentiality requirements on banks. A bank may not disclose customer information unless it is expressly permitted under the Banking Act s third schedule. Disclosure is permitted in the following circumstances (this list is not exhaustive): if the customer has given written consent; for internal audit purposes; for outsourcing purposes (subject to compliance with conditions established by the regulator); in connection with M&A activity involving the bank; for credit checking purposes; and for marketing purposes. A common law duty of confidentiality arises either through express contractual terms or terms implied by law to protect confidential information (including personal data). The Tournier principles discussed above (see Hong Kong on page 10), although not strictly binding on Singapore courts, would be relevant in assessing whether any exceptions to this general rule are available to banks under Singapore law. The Monetary Authority of Singapore (MAS) has published guidelines and standards of conduct that apply to banks handling of personal data, ranging from general requirements to have data loss prevention strategies in place to more specific requirements such as technical security standards for online bank account authentication. Insurance The MAS also regulates insurance business in Singapore, and the MAS guidelines and standards of conduct noted above will generally apply to licensed insurance businesses in Singapore. Industry self-regulation There are also industry-based, selfregulatory guidelines. In 2002, the National Internet Advisory Board published a model data protection code for voluntary adoption by the private sector (the Model Code). The Model Code sets out minimum standards for managing and processing personal data in electronic form. Outsourcing The MAS has published detailed material outsourcing guidelines that will be relevant to outsourcings by banks, insurers and other MAS-regulated businesses. These guidelines contain detailed risk management requirements for outsourcings, including specific requirements relating to the handling of personal data by outsourced service providers. Vietnam Vietnam does not have a developed system of law on personal data protection. Laws on protection of privacy are derived from general principles found in the National Assembly s Civil Code dated 14 June 2005 (Civil Code) and sector-specific laws. Civil Code Under the Civil Code, an individual s right to privacy shall be protected by law. However, there is no further regulation to indicate how this protection is to be exercised. The Civil Code also stipulates that the collection and publication of material on the private life of an individual is prohibited, except with the individual s consent or if the collection of data has been approved by a competent state authority. The information that would fall under the private life of an individual is not defined and, to date, no guidance has been provided by the courts or the authorities on this matter. There are no specific restrictions or limitations on the scope for approval of decisions of competent state authorities that provide exceptions to the Civil Code rights. Law on Consumer Protection The Law on Consumer Protection, issued by the National Assembly dated 17 November 2010 and effective as of 1 July 2011, contains provisions to protect personal data and re-iterates many of the same principles contained in previous laws and decrees. The law focuses extensively on dispute 14 February 2012

17 resolution and settlement, but it remains to be seen how relevant these measures are without appropriate instruments to monitor compliance with personal data protection laws. Customer information in the banking sector is subject to protection under the Law on Credit Institutions, as discussed separately below. Labour Code There are no specific regulations that restrict the collection, publication or transfer of employees personal data. However, the general provisions under the Civil Code and Decree 97 (discussed below) would apply and there are regulations that require employers to disclose employees personal data. Under the Labour Code, businesses must declare to the relevant labour authority details of the individuals they employ at the start of their employment. The declaration form includes data such as name, date of birth, sex, professional level and position. Also, under the Labour Code, foreign invested businesses and foreign organisations are not allowed to recruit local staff without going through an authorised employment service agency. Such agencies hold personal data on employees, including medical certificates and certificates of qualifications, and have authority to transmit this information without limitation. Internet-related areas E-commerce Under Article 46 of the Law on E-Transactions, information revealed in an e-transaction cannot be disclosed without the consent of the parties involved. Such parties are entitled to select measures to maintain confidentiality in accordance with the law upon conducting e-transactions. Information technology (IT) and telecommunications There are several provisions aimed at protecting personal data in the IT and telecommunications sectors. Articles 21 and 22 of the Law on Information Technology include several measures to ensure the accuracy and proper use (ie non-disclosure without consent) of personal data in a networked environment. As such, under Article 21.1 of the Law on Information Technology issued by the National Assembly dated 20 June 2006 (IT Law), organisations and individuals that collect, process and use personal information of another person in a networked environment must obtain the consent of that person. Consent is, however, not required in certain circumstances (eg to modify, sign or perform a contract relating to the use of information, products or services in the network environment; to calculate the charges for use of information, products or services in the network environment; etc). Organisations and individuals collecting, processing and using personal information of another person shall be responsible for notifying such person of the form, scope and purpose of the use of their personal information, using such information only for proper purposes and taking necessary measures to protect the information, among other obligations. Under Article 72.1 of the IT Law, legitimate private information of organisations and individuals that is exchanged, transmitted or stored in the network environment must be kept confidential. Decree 97 Under Decree 97 of the Government dated 28 August 2008 (Decree 97), organisations and individuals have a right to privacy with respect to their information on the internet and according to Decree 97 this right is in accordance with the Constitution and the law. The right to privacy of organisations and individuals is considered as a fundamental policy in the management and development of the internet in Vietnam. In addition, Decree 97 strictly prohibits stealing and illegally using private information of organisations or individuals on the internet. However, as with the Civil Code, there are no specific provisions that elaborate on the nature, scope or implementation of this protection. February

18 Telecommunications law Article 6 of the Law on Telecommunications adds several similar provisions holding telecoms operators responsible for the protection of personal data. As such, the confidentiality of personal information about any organisation or individual that is transmitted via a public telecoms network must be protected. Telecoms enterprises must not disclose personal information about a telecoms user (including the user s name, address, number or other personal information provided by the user when entering a contract with such enterprise) except for certain limited circumstances. Other areas involving personal data protection Publications law The Publication Law prohibits any publication from disclosing secrets of the private life of citizens. Publications are defined as political, economic, cultural, social, scientific, technological, literary, art works and other products that are published, printed or reproduced (by whatever technical means) in Vietnamese, ethnic minority languages, or foreign languages, even where such are not periodically published, and which are intended to be mass-distributed. Insurance law Under the Law on Insurance Business, insurance companies are obliged to keep confidential the information they obtain from their policy-holders. Insurance companies may be subject to a policyholder s request for compensation for damages resulting from unauthorised disclosures of data. Banking law Customer information in the banking sector is subject to protection of the Law on Credit Institutions issued by the National Assembly dated 16 June 2010, under which the information of customers accounts, deposits, deposited assets and transactions must be kept confidential and the banks and credit institutions (referred to collectively as credit institutions ) are not permitted to provide such information to any other organisation or individual other than in certain limited cases (eg with the consent of the customers or at the request of the competent state authorities). Under Decree 70 of the Government dated 21 November 2000 (Decree 70), credit institutions are permitted to supply information concerning deposits and deposited property of customers in certain limited circumstances, including where: the information is for the credit institution s internal activities ; the information is provided to another credit institution on its request. In such circumstances, the other credit institution may use the supplied information only for its internal activities ; the information sharing or transfer is requested by the customer or the customer s lawfully authorised representative. This provision arguably permits a customer to ask a credit institution to share information on their deposits with other credit institutions; or the information is requested by a competent state authority. When data is shared among banks in accordance with Decree 70, Circular 02 of the State Bank of Vietnam dated 4 April 2001 stipulates that: the general director of the bank (or a duly authorised representative) must authorise the supply of the information. As the law is drafted, it appears that the general director or his authorised representative would need to authorise each individual disclosure of information; and the provision of information must be accompanied by a summary of the disclosure, defined as a minute of provision of information, containing: the time of the provision of information; the place of the provision of information; detailed contents of the information provided; the scope of use of the information provided; the names of 16 February 2012

19 the representatives of the information provider and recipient; the persons participating in the process; and witnesses (if any). Other Asian jurisdictions India India does not have a comprehensive data protection law but has recently made steps towards one. A Personal Data Protection Bill was introduced to the Indian parliament in 2006, but it has not yet found its way to the legislative agenda. The Information Technology Act 2000 currently imposes fines and other penalties on companies and individuals found to have misused personal data stored and transmitted through IT systems. In April 2011, the Ministry of Communications and Information Technology published draft rules entitled Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the Rules), which represent a dramatic step towards a comprehensive data protection law. The Rules reflect a European style approach to regulating data privacy, including establishing a category of sensitive personal data. Under the Rules, data subjects consent must be obtained before their personal data is collected and disclosed to third parties, and export of personal data is only permitted with the data subject s consent and only to jurisdictions with equivalent levels of data security protection. The Rules also require reasonable security practices and procedures to be implemented for the handling of personal data, including a comprehensive information security programme and information security policies to prevent and manage security breaches. The Ministry of Communication and Technology issued a clarification to the Rules in August 2011, stating that it has no intention to regulate India s offshore services providers or to regulate businesses in other countries that export personal data to India. The Rules only apply to organisations in India and service providers are exempt from most of them, except for the cross-border controls and security obligations. However, some issues regarding interpretation of the Rules remain to be resolved; for example, whether consent is needed to export data collected by Indian call centres from overseas callers back to the country of origin. Indonesia The Government Data Privacy Protection Act of 2007 has been tabled in draft but has not yet been enacted. This draft legislation is based on the approach taken under the European Directive. The Electronic Information and Transactions Law of 2008 regulates electronic data processing, requiring that data subjects consent to the use of their data. Depending on the context, data subject consent may be required before export of personal data from Indonesia can occur. There are other relevant provisions relating to the collection of information for medical records and the disclosure of certain customer information by banks. The criminal law and telecommunications laws also have specific provisions that may impact on specific uses of personal data. Malaysia Malaysia has enacted the Personal Data Protection Act 2010 (the PDPA), a comprehensive data privacy regulatory regime closely modelled on European data protection law. The PDPA applies to any person who processes, has control over, or authorises the processing of any personal data used in commercial transactions. Malaysian incorporated companies, partnerships, associations or residents or entities that maintain an office, branch, agency or regular practice in Malaysia are all subject to the PDPA. Processing is widely defined and covers collecting, recording, holding or storing personal data, as well as carrying out operations concerning the handling of personal data. The Personal Data Protection Principles in the PDPA set out the core standards governing the handling of personal data. February

20 Data users are required to obtain the individual s consent before processing their data. The data user must also notify the individual of the specific purposes for the processing of their data and must not process the personal data for any other purposes without the individual s further consent. The form that the consent may take is not defined under the PDPA, but would generally involve some affirmative acceptance on the part of the individual for the processing of their personal data. An opt-in arrangement would therefore appear advisable to meet the requirements. The PDPA also contains a concept of sensitive personal data, which includes information relating to an individual s physical or mental health or condition, political opinions, religious beliefs, criminal record and opinions of others. The explicit consent of the individual is required for the use of their sensitive personal data and should specifically refer to the nature of the data to be processed, the purpose of processing and any specific impact this may have on the individual. Although enacted and gazetted in 2010, the PDPA has yet to come into effect. The Philippines The Philippines lacks a general data privacy law, but there are specific data privacy regulations appearing in various statutes, including the Electronic Commerce Act. In 2006, the Department of Trade and Industry published the Administrative Order 6, which contains Guidelines for the Protection of Personal Data in Information and Telecommunication Systems in the Private Sector. This administrative order has the force of law in the Philippines and imposes requirements similar to those seen in European data privacy legislation. These include data subject notification requirements and a duty on businesses processing personal data to enter into contractual arrangements with service providers, prescribing the purposes for which data will be processed and the security measures to be applied. In March 2011, the Philippine Congress passed the Data Privacy Act 2011 (DPA), which will establish practices and regulations relating to the collection, use and protection of an individual s private information in both private and government information communication systems. The DPA is currently before the Philippine senate for deliberation. The senate committee has approved the creation of a National Privacy Commission to implement the DPA and its regulations once enacted. South Korea South Korea has enacted strict regulation for the processing of personal information under the Personal Information Protection Act (PIPA), which came into force on 30 September 2011, and draft Regulations for PIPA, published in May 2011, which remain subject to review. PIPA regulates the overall processing of personal information gathered in either the public or private sectors. PIPA sets out specific requirements of disclosure on personal information processors, ie data collectors, regarding the purpose, period of retention and use of the personal data, as well as the identity of any third parties to which the personal data may be transferred, and the purpose, retention period and specific items of data to be transferred. PIPA imposes mandatory contractual provisions for data processing and sub-contractor agreements, such as requirements for information processing only for agreed purposes, administrative and technical security measures, and restrictions on sub-contracting. Importantly, PIPA requires personal information processors to publicly disclose details of any data processing sub-contractor relationships, which in practice may be difficult given the changing nature of such sub-contractor relationships. Sensitive personal information is prohibited from being processed in principle and requires a separate consent from the data subjects. PIPA also restricts the transfer of personal data overseas from South Korea, requiring separate notice and prior consent of data subjects before transfer may take place. 18 February 2012