Hello privacy pros.

To kick off this week’s digest, I’d like to reflect on an article from the Daily Dot regarding the Philippines’ Subscriber Identity Module Card Registration Act which became law this month. The law mandates that individuals must use their real name and phone number when registering for a social media account, and those using “fictitious identities” to register an account may face up to six years imprisonment or fines up to the equivalent of just under US$4,000. Additionally, it requires social media companies to retain user data for 10 years after account deactivation.

Despite the law’s intentions to help thwart online crimes, its breadth raises troubling privacy concerns. Privacy is an enabling right which underpins individuals’ rights of expression and association, both of which are essential to the health and operation of democratic institutions. The vast majority of social media users are not engaged in online crime, yet a law requiring social media activity to be traceable back to identifiable individuals is likely to have a chilling effect on public debate and dissent on controversial issues. Additionally, a 10-year mandatory retention period puts the privacy of those individuals at risk (e.g., in the case of the social media platform suffering a security breach) as well as running contrary to certain privacy-preserving controls within some social media platforms to make content ephemeral. Users deleting their social media accounts may do so specifically because they no longer trust the social media platform, making it ironic that the organization may then be required to retain the users’ data for a decade.

Although the Philippines has made itself an outlier on this topic, other jurisdictions have considered similar approaches to identity verification. Australia has flirted with the idea of requiring a full identity check for social media — a proposition that would frustrate the intent of Australian Privacy Principle 2 requiring organizations to give people the option to interact anonymously or pseudonymously — but has so far avoided such measures. Proposed changes to Australia’s privacy regime as part of the government’s Online Privacy Bill include requirements for verifying the age of potentially all social media users. This will present a logistical challenge in and of itself and it will be important for government and organizations to find means to appropriately verify age whilst preserving our ability to interact with online services in a privacy-protected manner.

Looking elsewhere in the region, organizations who operate in or interact with the Japanese market should already be aware that Japan’s updates to its Act on the Protection of Personal Information come into effect next month, April 2022. The territorial scope of APPI extends to organizations operating outside of Japan but processing personal information of individuals who are within the country. The updates include new information categories (e.g. special care-required personal information, personal related information and pseudonymous information), changes to the requirements for cross-border transfers, as well as mandatory breach notification.

Finally, the