![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Last week was a significant one for regulation in Asia.
Japan’s amendment to the Act on the Protection of Personal Information took full effect last week. The main changes to the act were a consent requirement for collection of “special care-required personal information” (broadly corresponding to concepts of “sensitive personal data”), the introduction of the concept of “anonymously processed information,” and additional record-keeping requirements of data transfers.
Of course, there is also the addition of cross-border transfer restrictions. Three types of legitimate transfers of personal information to a third party in a foreign country are permitted, however: transfers to a country that the Personal Information Protection Commission has designated as having an acceptable level of data protection; transfers to a third party in a foreign country in circumstances in which actions have been taken to ensure the same level of data protection as in Japan; or transfers with the data subject’s consent.
There is no grace period for compliance with the amended act.
In China, meanwhile, the commonly referred to “Cybersecurity Law,” China’s much-anticipated Network Security Law, came into effect last week after two years of review, even though implementation regulations are still being drafted. The law has a broad scope and covers a range of issues related to data privacy, security and cross-border transfers and is probably one of the strictest in the world.
At a press conference held on the eve of its launch, the Cyberspace Administration of China provided some clarification on certain aspects of the Cybersecurity Law — notably on the purposes and intended scope of some of its provisions. Although a phase-in period or delay had been speculated upon in the media, there was no such announcement.
Critical information infrastructure operators have significant obligations, including the requirement to store within China any personal information and important business data that has been “collected and generated in the operation” within China. The specific definition and scope of a “CII operator” will be further defined and clarified by the government in due course. While various implementation regulations are still being drafted, the CAC recommended that relevant corporations and institutions self-regulate, including in relation to the data localization requirement, and ensure that their network activities are compliant with the law.
Note, though, that the Network Security Law is only one piece of the emerging data compliance requirements in China, and the CAC advised that all implementation regulations will be enacted or published by relevant authorities within one year of the effective date of the Cybersecurity Law. Network operators and CII operators are advised to keep a close eye on developments.
While all this high-tech stuff was being digested, Singapore reminded us that paper still counts. Two Singapore companies were sanctioned for breaches of paper-based personal data. Both companies escaped fines but were ordered to review their privacy policies, develop new procedures to implement the policies and conduct staff training.
With all the new rules emerging, it pays not to forget the basics. Until next time, keep your reading glasses pristine.