The 2024 Paris Olympics may have concluded recently, but there is still very much a "let the games begin" feeling around privacy here in Asia.
Our symbol for the opening ceremony is Malaysia, with a groundbreaking amendment to its Personal Data Protection Act. This law took the lead in 2010 as the first comprehensive privacy law to be enacted in Southeast Asia, before coming into force in November 2013.
Following passage by Malaysia's Senate on 31 July, the amendment bill will relay to receive royal assent and thereafter come into force on a date to be appointed by the minister of digital by notification in the Official Federal Gazette.
Updates that made it to the finals include:
- New hurdles for data controllers, including the requirement to report data breaches to the data protection commissioner as soon as practicable. Further, if the breach is likely to cause significant harm to a data subject, the controller must also inform the data subject without unnecessary delay. While a breach has been defined as any breach, loss, misuse or unauthorized access of personal data, no definition has yet been provided for significant harm.
- More direct weightlifting for data processors to protect personal data from loss, misuse and other similar risks. Failure to comply will lead to a fine of up to MYR1 million and/or imprisonment for up to three years.
- Recognition of biometric data as sensitive personal data.
- New data-subject right to data portability.
- Refreshed cross-border data transfer rules. Instead of a white-listing approach, personal data can be transferred from Malaysia to any place outside the country with laws substantially similar to the PDPA or any place that provides an adequate level of protection for processing equivalent to the PDPA.
- Stricter disqualifications for noncompliance. A breach can now trigger fines of up to MYR1 million and/or imprisonment of up to three years. This is steeper than the current MYR300,000 maximum fine and/or two year term of imprisonment.
Sharing the podium of developments this month is the Philippines, which unveiled updated privacy rules on the use of CCTV. Some medal tallies here are:
- Data controllers having to prominently display CCTV notices that specify the nature, scope and extent of surveillance, the purpose of the system and its capabilities.
- Personal data processing through CCTV systems having to be adequately protected through security measures.
- Data subject access requests, data breaches and regular audits having to be catered for using policies and procedures.
- Disclosure of CCTV footage for law enforcement having to comply with prescribed rules.
- Exclusion of the rules for personal use and lawful surveillance.
Finally, the baton passed to Singapore, which is consulting on two synchronized guidelines for securing artificial intelligence systems. These offer a deep dive into the security controls needed for ring-fencing adversarial risks to AI. The consultation exercise closes 15 Sept.
As we sail into September at what feels at times like record-breaking speed, it looks like the torch that is Asian privacy is burning brighter than ever before.
Charmian Aw, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Squire Patton Boggs.