It has been widely reported that Indonesia aims to promulgate the Personal Data Protection Bill in August. One of the issues that stalled promulgation was whether Indonesia should have an independent body supervising personal data protection. With this issue now resolved by deferring the exact form of the supervisory body to the Indonesian president by way of a presidential decree, another issue might arise after the bill’s promulgation: the possibility of conflicting views on personal data prot... Read More

At the moment, Indonesia does not have a comprehensive personal data protection regulation. What does exist is a multitude of laws and regulations in many sectors governing personal data protection. Some of the most prominent personal data laws and regulations are as follows: Law No. 11 of 2008 on Electronic Information and Transactions as amended by Law No. 19 of 2016 and supplemented by the Constitutional Court Decisions Nos. 5/PUU-VIII/2010 and 20/PUU-XIV/2016. Government Regulation No. ... Read More

China’s new Personal Information Protection Law takes effect today, Nov. 1, just over two months after its adoption, with companies seeking to figure out how to best comply and regulators working to answer remaining questions. The Standing Committee of the National People’s Congress passed the law in August to “protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.” The law includes pro... Read More

The People’s Republic of China broke new ground by announcing draft regulations on the widespread use of algorithmic recommendation technology. The regulations are, according to one expert, the first of their kind globally. And because China will soon exceed one billion internet users — roughly 20% of global internet users — these regulations will cover nearly one in five users on earth. The Internet Information Service Algorithmic Recommendation Management Provisions were released after passag... Read More

The top legislative body in the People's Republic of China voted Friday to adopt a new national privacy law. The Standing Committee of the National People's Congress passed the Personal Information Protection Law at a meeting in Beijing, according to the nation's state-operated Xinhua News Agency. The sweeping law will take effect Nov. 1. With the move, the PRC joins three of the world's top four economies with an omnibus privacy law, leaving the U.S. as the only nation in the top four without ... Read More

As explained in our previous post, China enacted its first fundamental law in cyberspace, the Cybersecurity Law, in 2016. Five years later, in 2021, China followed up with two more pieces of landmark legislation in this space: the Data Security Law and the Personal Information Protection Law. Taken as a whole, these three laws form an overarching framework that will govern data security, data protection and cybersecurity in China for years to come. Under the framework established by these three... Read More

On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law, which will take effect Nov. 1, 2021. Serving as China’s first comprehensive law in the personal information protection area and based on China’s Constitution, the PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1). From a broad... Read More

Until now, China’s data localization and cross-border data transfer requirements were not laid out in one piece of legislation but could be found scattered in the Cybersecurity Law and its draft implementing regulations, as well as in various sectoral regulations, which contain specific requirements applicable to data processed by entities in specific sectors.    With the June 10 enactment of the Data Security Law that will take effect Sept. 1 and the upcoming Personal Information Protection La... Read More

On March 24, 2021, the Cabinet of Japan issued the Order to enforce the amended Act on Protection of Personal Information and the Personal Information Protection Commission issued Enforcement Rules for the amended APPI on the same day. Updates to the status of the amended APPI The amended APPI was enacted June 5, 2020, and promulgated June 12, 2020. It will become effective April 1, 2022. However, stricter statutory penalties have already become effective, and the transitional measures for pro... Read More

Buildings large and small start with the vision of an architect who plans and designs to make it a reality. Chuen Hong Lew likens his role to that of an architect, but the skyscrapers he is blueprinting are digital, as his sights are set on Singapore’s digital future. “Even though we are a very small country to the wider region and to the world, I think ultimately we will grow Singapore to be that digital metropolis,” said Lew, commissioner of Singapore’s Personal Data Protection Commission and... Read More

On May 14, 2020, Singapore's Personal Data Protection Commission and Ministry of Communications and Information released the draft Personal Data Protection Bill with proposed amendments to the Personal Data Protection Act. One of the key amendments, which goes to the heart of the PDPA, is the enhancement of the collection, use and disclosure framework to enable meaningful consent. Issues of the current regime  Currently, the PDPA provides for consent as the primary basis for collecting, using ... Read More

In this piece, TrustArc's K Royal, CIPP/E, CIPP/US, CIPM, FIP, Paul Breitbarth and Annelies Moens, CIPP/E, CIPT, FIP, discuss the latest on privacy in the Asia-Pacific region. The following is an excerpt from TrustArc's "Serious Privacy" podcast, which can be found here. K Royal: Tell me how you got into privacy as a career? Annelies Moens: Well, 20 years ago, there was no such thing as a privacy career in the Asia-Pacific. I had finished a computer science, IT degree and a law degree. And, I'... Read More

"The Blind Men and the Elephant" is an ancient Indian parable that should be revisited in these unprecedented times. The following is a rendition of the parable:  "An elephant comes to a village and a group of blind men generate curiosity regarding its form and appearance. They decide to feel the elephant individually to decipher how it may be in actuality. One blind man feels the elephant’s ear and declares, 'an elephant is like a big fan,' another blind man feels the elephant’s leg and says, ... Read More

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S. APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place. Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-b... Read More

On Dec. 6, Australia passed a surprising law with a global impact on privacy. The new law requires any Australian company to build backdoors to encrypted data and communications when instructed to do so by the government, while also requiring secrecy about the existence of such surveillance capabilities from individuals and enterprise customers. This unverifiable question of compromised encryption presents many technical threats and introduces international regulatory compliance challenges as we... Read More

Much of the privacy world is still focused on Europe and the implications of the EU General Data Protection Regulation (and eventually, the ePrivacy Regulation) for digital trade and data practices across borders, particularly between Europe and the U.S. However, Europe holds less than 10 percent of the world’s population, and developing economies in Asia are pressing for a seat at the table setting international rules and norms. Various actors have been working to develop cross-border trade agr... Read More

The State Council of the Republic of Korea approved the Enforcement Decree amendment to the Personal Information Protection Act 5 Sept. Personal Information Protection Committee Chairman Ko Hak-soo announced the new enforcement ordinances will enter into force 15 Sept. The amended PIPA includes "unifying the standards for processing personal information" across various fields. Full story... Read More

EconomyNext reports Sri Lanka's Data Protection Authority is set to begin its work following a gazette published by Sri Lanka President Ranil Wickremesinghe 19 July. The authority was first proposed in November 2022 and Wickremesinghe told Sri Lankan Parliament the government would follow through with finalization of the independent DPA this year.Full story... Read More

On June 16, Japan will enact the amended Telecommunications Business Act, including the External Data Transmission Rule. This new rule, regarding the use of user information, shares some fundamental ideas with the cookie consent requirements of the EU ePrivacy Directive and applies to various online services provided through web browsers and apps. Businesses offering online services should confirm whether the rule applies to their services, and consider whether to amend existing policies or even... Read More

Leaders in the U.K. and Japan have established the U.K.-Japan Digital Partnership, a framework to "jointly deliver concrete digital policy outcomes" for citizens, businesses and economies. The partnership will focus initially on four pillars: digital infrastructure and technologies, data, digital regulation and standards, and digital transformation. The countries noted the work ahead of them includes "championing data flows," exploring joint collaboration on data innovation measures and working ... Read More

Japan's data protection authority, the Personal Information Protection Commission, released a data mapping toolkit for private entities. The PIPC said the new resource is aimed at "organizing the data handled by the business as a whole and visualizing the handling situation." The regulator indicated the toolkit was created in response to increased data handling among organizations and the "increasing need to properly manage that data."Full Story... Read More

The Personal Data Protection Commission of Singapore issued a reminder that new amendments to the Personal Data Protection Act went into effect Oct. 1. The PDPC’s power has been “enhanced to accept voluntary undertakings” under its enforcement obligations. Also the financial penalty cap was increased for companies that violate the PDPA from SG$1 million to "10% of the organisation’s annual turnover in Singapore for organisations with annual local turnover exceeding (SG$10) million, whichever is ... Read More

Reuters reports Indonesian lawmakers overwhelmingly passed a long-awaited data protection bill into law Sept. 20. Indonesia is the fourth most-populous nation in the world. The law includes fines of up to 2% of a company's annual revenue, the potential confiscation of assets, and a stipulation that individuals could be imprisoned for up to six years for falsifying personal data or up to five years for collecting personal data illegally, the report states. The bill also authorizes the president t... Read More

It has been widely reported that Indonesia aims to promulgate the Personal Data Protection Bill in August. One of the issues that stalled promulgation was whether Indonesia should have an independent body supervising personal data protection. With this issue now resolved by deferring the exact form of the supervisory body to the Indonesian president by way of a presidential decree, another issue might arise after the bill’s promulgation: the possibility of conflicting views on personal data prot... Read More

The Philippines’ National Privacy Commission issued guidance on how the agency issues the Circular on Administrative Fines for data privacy violations. The fines are intended to be “proportionate and dissuasive of data privacy infractions.” Privacy Commissioner John Henry Naga said, “The National Privacy Commission is intensifying its efforts in order for personal information controllers and processors to adopt optimal levels of data protection and security. The Circular on Administrative Fines ... Read More

South Korea’s Constitutional Court rejected a law that would have allowed mobile carriers to provide personal data to law enforcement without a user's knowledge, Anadolu Agency reports. Under the Telecommunications Business Act, mobile providers could receive requests from law enforcement for data of customers being investigated. However, the court ruled that portion of the law was unconstitutional because it violated the right of self-determination of one’s personal data.Full Story... Read More

South Korea and the U.K. reached an "adequacy agreement in principle" for cross-border data sharing. The bilateral partnership will focus on improving data frameworks. The adequacy agreement comes while both countries are in the process of modifying their data regulation regimes. In the U.K., ongoing initiatives include upgrading the U.K. National Data Strategy and the U.K. General Data Protection Regulation, and in South Korea, amendments have been proposed for its Personal Information Protecti... Read More

BBC News reports an unnamed tax company employee physically lost the personal data of hundreds of thousands of Amagasaki, Japan, residents. The worker moved the data onto a flash drive for a work meeting and promptly lost the drive during a leisure night out. Personal data on the drive included names, birthdates, addresses, tax details and bank account numbers. City officials said the data is encrypted with a password.Full Story... Read More

Enforcement of Thailand’s Personal Data Protection Act starts June 1, the Bangkok Post reports. A survey by the Thai Board of Trade and the University of the Thai Chamber of Commerce found of nearly 4,000 businesses surveyed, 8% have taken steps toward compliance, while 31% have not begun the process. Total Access Communications’ interim Chief Corporate Affairs Officer Stephen James Helwig said enforcement “marks a milestone for privacy protection and data security” in Thailand.Full Story... Read More

The Personal Data Protection Commission of Singapore launched a data anonymization tool. The tool is free and is intended to assist organizations transform data sets through anonymization techniques. The tool also features an infographic that instructs users on how to use it.Full Story... Read More

Singapore created the world’s first artificial intelligence governance testing framework and toolkit called A.I. Verify, according to its Infocomm Media Development Authority. The framework and toolkit’s purpose would be to promote transparency between companies and their stakeholders by combining tests and process checks. Developers and owners of AI systems can verify their performance against a set of principles through standardized tests. A.I. Verify offers transparency in the areas of safety... Read More

At the moment, Indonesia does not have a comprehensive personal data protection regulation. What does exist is a multitude of laws and regulations in many sectors governing personal data protection. Some of the most prominent personal data laws and regulations are as follows: Law No. 11 of 2008 on Electronic Information and Transactions as amended by Law No. 19 of 2016 and supplemented by the Constitutional Court Decisions Nos. 5/PUU-VIII/2010 and 20/PUU-XIV/2016. Government Regulation No. ... Read More

The New York Times reports areas in Japan are using electronic surveillance help those suffering from the dementia. While the technology is said to protect those with the condition by tracking individuals enrolled in a surveillance program, concerns of privacy overreach and informed consent have been raised. “The most important thing is that it’s that person’s choice,” said Miki Sato, who is in the early stages of dementia and runs a company that offers employment opportunities for people with d... Read More

Japan’s Ministry of Economy, Trade and Industry published “Governance Guidelines for the Practice of AI Principles.” The guidelines follow work of the AI Social Implementation Architecture Study Group, which examined “the ideal state of AI governance in Japan, such as regulations, standardization, guidelines, audits, etc.,” as well as trends in AI principles and regulations overseas. Input was also included from consumer protection experts and others.Full Story... Read More

On April 1, Japan’s amended Act on Protection of Personal Information will come into force. In our previous article, we explained how to amend privacy notices to comply with the amended APPI, mainly focusing on the updated guidelines and Q&As. In this article, we will describe the other key portions of the guidelines and Q&As. For more information on Japan’s APPI amendments, including an analysis and explanation of amending privacy notices, please see the previous articles below. Analy... Read More

On April 1, 2022, Japan’s amended Act on Protection of Personal Information will come into force. In previous articles, we explained the APPI amendments and updates related to subordinate regulations (i.e., enforcement orders and rules). From August to September, Japan’s data protection authority, the Personal Information Protection Commission, published updated guidelines and Q&As for the amended APPI. These documents reveal how the PPC interprets the APPI and how it works as practical reg... Read More

Hong Kong’s Privacy Commissioner for Personal Data Ada Chung published a booklet to help the public and businesses better understand China’s Personal Information Protection Law. The document includes PIPL’s major requirements and a comparison to Hong Kong’s Personal Data (Privacy) Ordinance. Chung said it will help individuals and businesses “to better understand the regulatory regime on the protection of personal information in the Mainland, thereby enabling them to seize, and prosper from, the... Read More

Hong Kong’s Office of the Privacy Commissioner for Personal Data released an e-newsletter detailing the amended Personal Data (Privacy) Ordinance 2021. The amended ordinance, effective 8 Oct., would create a “two-tier offence for disclosing personal data without consent,” empowers the privacy commissioner to investigate and prosecute doxxing offenses, and grants the commissioner power to fine those who fail to remove doxxing data from their platforms.Full Story... Read More

Hong Kong’s Office of the Privacy Commissioner for Personal Data published a guidance note and accompanying frequently-asked-questions document on the use of the EU's updated standard contractual clauses. The PCPD noted the SCCs are relevant for Hong Kong-based businesses "if the obligations under the GDPR apply to it as an exporting party on an extra-territorial basis." The FAQ covers questions on implementation and obligations when executing a transfer using the new clauses.Full Story... Read More

Lawmakers in Hong Kong passed an anti-doxxing privacy bill that empowers the Office of the Privacy Commissioner for Personal Data to investigate and prosecute doxxing incidents, Reuters reports. Those who disclose an individual’s personal data without consent “with an intent to cause specified harm” will be in violation of the legislation and "could face fines of up to HK$1 million ($129,000) and five years in prison." Constitutional and Mainland Affairs Secretary Erick Tsang said the legislatio... Read More

Reuters reports South Korean lawmakers voted to install surveillance cameras in hospital operating rooms across the country following a string of patient deaths after surgery. The bill amends the Medical Services Act and the footage from the cameras could help bring penalties against unlicensed hospital personnel. Those objecting to the mandate claim it will violate patient privacy among other things.Full Story... Read More

The Jerusalem Post reports Facebook, Twitter and LinkedIn moved to increase the privacy of accounts belonging to citizens of Afghanistan to combat potential targeting in the wake of the Taliban seizing control of the country. All three platforms are providing varying levels of increased security, ranging from limiting account searchability to accepting requests to delete archived communications. The moves come after human rights groups voiced concerns about the potential tracking of Afghans' dig... Read More

The Office of the Privacy Commissioner for Personal Data of Hong Kong published its "Guidance on the Ethical Development and Use of Artificial Intelligence.” The guidance is designed to help organizations comply with the requirements of the Personal Data (Privacy) Ordinance as they develop and use AI. It also set out seven ethical principles for AI, including accountability, transparency and privacy.Full Story... Read More

The Taliban is believed to have seized the U.S. military’s biometric devices storing iris scans, fingerprints and biographical data. The technology, known as the Handheld Interagency Identity Detection Equipment, was intended to gather biometric data of 25 million people, 80% of the Afghan population. “We processed thousands of locals a day, had to ID, sweep for suicide vests, weapons, intel gathering, etcetera,” a U.S. military contractor explained. “(HIIDE) was used as a biometric ID tool to h... Read More

The U.S. Department of Defense's Office of the Inspector General published a management advisory for the military to ensure sensitive data is protected and removed from equipment used in Afghanistan, Nextgov reports. The advisory highlights Army Regulation 735-5 and the 401st Army Field Support Brigade’s standard operating procedures for property accountability, which covers the proper methods for handling inventory devices and items with hard drives.Full Story... Read More

Japan's data protection authority, the Personal Information Protection Commission, published a draft guide on international data transfers. The guide covers the criteria countries must meet to match Japan's Act on the Protection of Personal Information and includes responses to comments made during previous consultation periods.Full Story... Read More

Hong Kong's Office of the Privacy Commissioner for Personal Data released guidance on protecting privacy while using social media and instant messaging applications. The guidance covers the risks to privacy and personal data when interacting with the services and offers advice on what users should watch out for as they sign up for a new social media account, as well as how to best navigate privacy settings.Full Story... Read More

A “data security incident” via a third-party IT service provider has impacted the personal information of Malaysia Airlines’ Enrich frequent flyer members, Channel Asia reports. Members were notified via email of the breach, which took place sometime between March 2010 and June 2019, that exposed member names, birthdates, genders, contact details and more. The total number of impacted individuals was not disclosed. A statement from the company said there is no evidence personal data “has been mi... Read More

Buildings large and small start with the vision of an architect who plans and designs to make it a reality. Chuen Hong Lew likens his role to that of an architect, but the skyscrapers he is blueprinting are digital, as his sights are set on Singapore’s digital future. “Even though we are a very small country to the wider region and to the world, I think ultimately we will grow Singapore to be that digital metropolis,” said Lew, commissioner of Singapore’s Personal Data Protection Commission and... Read More

Human rights groups are raising privacy concerns as surveillance cameras are planned to be installed around Kabul, Afghanistan, Reuters reports. An Interior Ministry spokesman said the cameras are being installed to “curb criminal and terrorist activities.” Peace and Human Rights Organization's Mohammad Nizam said, “Under current circumstances, honestly, it would be quite difficult for the masses to have full faith and trust that their privacy would not be harmed with the installation of these s... Read More

Indonesia's Ministry of Communication and Information Technology published its draft "2020–2024 Strategic Plan." The draft plan includes the ministry's commitment to data protection regulations and how data protection officer roles will be formed under the country's draft data protection law. Comments on the draft strategic plan will be accepted until 14 Jan.Full Story... Read More

The Himalayan Times reports new rules issued by the government of Nepal allow government offices to install closed-circuit TV cameras in public places and vehicles for security purposes. The offices must work in conjunction with local police departments before the cameras can go live. Those police departments will be in charge of gathering any information collected by the cameras before sending the data to a "concerned district administration office," the rules state.Full Story... Read More

On May 14, 2020, Singapore's Personal Data Protection Commission and Ministry of Communications and Information released the draft Personal Data Protection Bill with proposed amendments to the Personal Data Protection Act. One of the key amendments, which goes to the heart of the PDPA, is the enhancement of the collection, use and disclosure framework to enable meaningful consent. Issues of the current regime  Currently, the PDPA provides for consent as the primary basis for collecting, using ... Read More

Malaysia's Ministry of Communications and Multimedia announced discussions regarding amendments to the Personal Data Protection Act 2010 are ongoing. Deputy Minister Datuk Zahidi Zainul Abidin explained potential amendments are still "in the discussion stage," noting that any decision to make changes will go right to the Cabinet of Malaysia. Zahidi also addressed privacy concerns related to COVID-19 contact-tracing efforts for both the government and general public.Full Story... Read More

Tech companies have taken measures to protect the privacy of users in Kazakhstan, Infosecurity Magazine reports. CensoredPlanet published a study in which it found Kazakhstan internet providers required users to install a government-issued certificate on browsers and devices to access the internet. The certificate gave the government the ability to gather account and password information, as well as read messages and users’ posts. Google and Mozilla deployed solutions within their respective bro... Read More

ZDNet reports that as of July 17, Kazakhstan began intercepting domestic HTTPS internet traffic. Following an official government announcement, local internet service providers were instructed to require that Kazakh users install government-issued root certificates to enable government decryption and analysis of HTTPS traffic. While the Kazakh Ministry of Digital Development, Innovation and Aerospace stated that enforcement would be restricted to users in the capital, people across the country h... Read More

The European Commission adopted its long awaited adequacy decision on Japan. The same time, Japan recognized the European Union as a jurisdiction with adequate level of personal data protection (press release in Japanese). Both decisions took effect Jan. 23. It took two years from the start of official discussions — with an eventful road — to reach this conclusion. As a consequence, companies will be able to transfer personal data from the EU to Japan based on an adequacy decision pursuant to ... Read More

Vietnam's new cybersecurity law took effect, requiring internet companies to remove content communist authorities deem to be against the state, AFP reports. In what critics have called "a totalitarian model of information control," the law will also require tech companies to share user data if asked by the government and to open an office in the country. "This law is designed to further enable the Ministry of Public Security's pervasive surveillance to spot critics, and to deepen the Communist P... Read More