A warm hello to all my fellow privacy professionals, this time from Washington, D.C.
The city is stunning this time of the year. I do not know what it is that makes it so special — whether it is the cherry blossoms, lingering romantic rain, or the fact that we are gathered at the IAPP Global Privacy Summit 2024 for yet another stellar lineup of content and speakers hailing from around the world.
I am thrilled to return to Summit to speak on a panel titled "Sugar and Spice but Not Everything Nice: Overcoming Privacy Challenges in Asia." My co-panelists are from China, India, Japan and the Philippines, and we will no doubt be fighting collective jetlag to present on the myriad privacy developments and updates from across the Pacific.
We're discussing the differences in operationalizing compliance in each of our jurisdictions. These will span one's ability to invoke consent or legitimate interests as lawful bases for personal data processing, the geographical reach of our respective comprehensive privacy legislations, our highly nuanced cross border transfer requirements and mechanisms, the oft-fragmented obligations on breach reporting and — almost certainly one of the star topics at this year's conference — our individual approaches towards the regulation and governance of artificial intelligence.
In the lead-up to this week, we once again saw spurts of privacy activity in Southeast Asia. Here are four recent highlights to keep an eye on as things develop:
- Thailand's regulations for cross-border transfers of personal data have come into force as of 24 March. The Personal Data Protection Committee is now accepting binding corporate rules for intragroup transfers, but this is subject to their passing an audit and approval process based on certain specified criteria.
- Indonesia has indicated that its much-anticipated regulations to implement the Personal Data Protection Law are undergoing discussions among its ministries and are on course to be enacted into law soon. Indications suggest this could be as early as June.
- Malaysia passed a new Cybersecurity Bill 27 March, imposing security obligations on the country's critical information infrastructure. These include having to report cybersecurity incidents, which for such critical information infrastructure would overlap and align obligations under the nation's Personal Data Protection Act 2010 when amended, as the latter is expected to also introduce mandatory personal data breach reporting.
- Singapore published advisory guidelines addressing the Personal Data Protection Act's applicability to organizations offering products or services to children in an online environment. These would include social media, educational technology, online games and smart toys and devices. The guidelines contain a data protection impact assessment template, as well as case examples to illustrate how the law would apply in commonly encountered scenarios within this specified context.
Undoubtedly, there will be plenty more to come as we head into the second quarter of 2024. Be well, everyone.