Norton Rose Fulbright Partner Anna Gamvros, CIPP/A, CIPT, FIP, is recognized as a leading privacy expert in the Asia-Pacific region. Her law firm has offices in Hong Kong and Brisbane, Australia, where she advises her clients on the evolving data protection regulations throughout the Pacific Rim.

Gamvros was recently named to the IAPP Board of Directors. She previously served on the IAPP’s Asia-Pacific Advisory Board and Board of Women Leading Privacy.

In this IAPP member spotlight, Gamvros spoke to Staff Writer Alex LaCasse about her work, and she previewed the upcoming panel discussion she will lead at the IAPP Global Privacy Summit 2022, “Enter the Dragon: Perspectives on Navigating the New Data Laws in China.”

The Privacy Advisor: From the time you started your career, how have data protection regulations changed across Asia-Pacific over time to where the landscape is today?

Anna-Gamvros.png
Anna Gamvros, CIPP/A, CIPT, FIP

Gamvros: It’s been a complete change, really. Twenty years ago, I moved from Australia to Hong Kong. At the time, in the Asia-Pacific region, Hong Kong, was one of the few counties that had a data protection law — sort of a standard data protection law. There were some others in the region that had industry-specific (regulations) or sort of light-touch regimes. Probably in the last 12 years, we've seen a complete overhaul of the data protection landscape in Asia-Pacific. We have many jurisdictions now that have significant omnibus data protection laws, we have regulators who are very active and taking enforcement action. In a number of countries, we have cybersecurity laws and regimes that requires IT and infrastructure around cybersecurity. We also have a breach notification regime in many countries as well, which, when I first moved to region, were completely unheard of.

The Privacy Advisor: Can you please give a general overview of where China’s new data protection laws stand?

Gamvros: There’s kind of interplay with three pillars. There's the cybersecurity law, which came in a few years ago, a data security law, which came into effect last year, and then personal data protection law came into effect last year. The personal data protection law is more what we're used to seeing in the western world around data protection law and it's quite broad. Many people are familiar with the (EU General Data Protection Regulation). Obviously, it has many elements that are similar to the GDPR, but it also has its own nuances and differences. The way the law is written is quite high level, so we are still seeing a lot of regulations and guidelines that will come and fill out the details. So, with anything, the devil is always in the details. We're waiting to see number of terms and number of requirements and more how they'll be filled out, and how those global organizations are going to have to change their existing privacy programs to fit to work in China. There’s a lot of work to be done there.

The Privacy Advisor: Because there is so much international commerce in China, from a compliance standpoint, what provisions in its data protection laws are you finding your clients are most concerned with?

Gamvros: I think the hottest topic for our clients is really looking at data localization and transfer; what do they need to — whether they're impacted by the regime to keep data onshore in China, whether they're going to be restricted in how they can move data in and out of China, and how they can access data from outside within China. That's really the number one concern that our clients have because in any way moving data across borders is becoming increasingly more regulated, and obviously, (is) a big impact for any clients who are running an international business.

The Privacy Advisor: You’re hosting a discussion at GPS about how international businesses can navigate China’s data protection laws. What do you hope attendees take away from the panel?

Gamvros: I think we will have a slightly different panel, rather than just a download on what the laws are. It’ll be more talking to those privacy professionals who are in global roles outside of China, and how they're perceiving and operationalizing the new laws, building them into parts of — building them into privacy programs, and what they're seeing that their colleagues do. We really want to take a practical look at the challenges that the new laws are putting out and what their key considerations are, with respect to their global programs.

The Privacy Advisor: Throughout the Asia-Pacific region, countries that have data protection regulations and those working to establish their own comprehensive data protection laws, such as India, give their data protection authorities varying degrees of independence. How critical is it for data protection authorities to be independent?

Gamvros: The laws themselves are all standalone laws, and they've all kind of grown up in those countries. They were developed for each of the countries in the region for different kinds of geopolitical and economic reasons. Some may have been drafted following some kind of data incident, so they've all got different drivers for how they've come about. You can see by looking at the different roles in the region that the drivers and the economic and geopolitical drivers in those countries do come out in those laws, whether it's a country that is trying to create a kind of safe haven for data as kind of a technology hub, or whether they want to be an outsourcing hub, where they're just trying to bring themselves up in line with international standards.

They're all different and they all draw differently from the existing laws around the world. We haven't seen any — any — country in this region wholesale copy a law and put that in place. What rights do you have for individuals? What fines they put in place? What enforcement regime do they put in place, even the regulator, and the regulator’s powers? So, all of that are kinds of variations to suit the particular jurisdiction. As a result, we get this huge patchwork of laws in this region.

The Privacy Advisor: You mentioned this patchwork of privacy laws across the Asia-Pacific region. How difficult has it been for your clients to navigate these legal regimes that can vary widely by country?

Gamvros: It can be very tricky. We have to help our clients find a baseline. What is it that suits their business in terms of where they're located — the type of business they do, where their customer base is located? So (we) have to help them find that baseline and to work to that baseline. Then, from there, we look at the different regimes and how they'll affect that baseline. There's no one-size-fits-all answer; you have to look at the organization and then try and kind of fashion a solution for them while taking into account all of those factors.

The Privacy Advisor: You were just named to IAPP’s Board of Directors this year. What experiences do you think you bring to the board?

Gamvros: I'm really excited about joining the IAPP Board of Directors. One of the things that I'm bringing is that I’m the only board member coming from the Asia-Pacific region. I can bring some insights from what we've experienced both across Hong Kong and Australia, and also bring insights from what's going on in this part of the world, and how it’s impacting privacy professionals here.

The Privacy Advisor: You were recognized by Chambers Greater China Region as the region’s top Information Technology expert this year; what does this honor mean to you?

Gamvros: It's great recognition because it comes from clients and peers. So, it's always nice to be recognized from both groups because they're the most important people in our world. It's a great honor, and I share that with some other great practitioners in the region.

Photo by Keagan Henman on Unsplash