The year 2020 brought some important developments to the world of data protection legislation. Most notably, the California Consumer Privacy Act (CCPA) came into force in the US in January. The Court of Justice of the European Union (CJEU) effectively put an end to the free flow of data between the US and the EU, ruling in Schrems II that the European Commission’s adequacy decision regarding the EU-US Privacy Shield was invalid.
Southeast Asia also modified its Personal Data Protection Act (PDPA), introducing, among other things, mandatory data breach notifications, an expansion of the notional consent framework, exceptions to consent for legitimate interests and higher penalties for non-compliance. These changes will be applied in practice in 2021. The first amendments to the PDPA already came into force in Singapore in February and in Thailand it has been in force since June 1, 2021.
The new and modified data protection regime applies to countries including Malaysia, Singapore, Thailand, Korea, Vietnam and India. It is designed to help limit the misuse of personal data and maintain individuals’ trust in companies and organizations that manage their data. In this way, Southeast Asia would like to appear more trustworthy to international businesses.
The Personal Data Protection Act (PDPA) addresses both the protection of individuals’ personal data and the collection of personal data by organizations that gather, use or disclose it for legitimate purposes.
Under the terms of the PDPA, personal data is any data concerning a person by which they can be identified, for example:
Compliance with the PDPA is mandatory for companies. Companies have to let customers know why their personal information is being requested and obtain their permission to use it up front by notifying them. Organizations must not compel individuals to consent to the collection, use or disclosure of personal information beyond what is appropriate to provide a product or service.
Customers can request that an organization stops collecting, using or disclosing their personal information. The organization must then inform them of the likely consequences of the withdrawal of permission before complying with the request. However, the organization is under no obligation to delete or destroy the personal information and may retain it as long as necessary for business or legal reasons. In addition, customers can request to see the personal information that has been collected about them.
If customers do not receive notifications or companies breach the terms of the PDPA they will be subject to penalties. The penalty for a violation of the principles set forth in the PDPA could be a fine of up to US$1 million and/or imprisonment for a term not exceeding two years. One of the highest fines imposed by the Personal Data Protection Commission (PDPC) to date was against IT vendor Learnaholic that totalled US$60,000. Many of these fines were for cyber security violations that resulted in the unauthorized access and disclosure of personal data.
The Personal Data Protection Act also provides Singapore with a basic standard for the protection of personal data. It supplements legal and administrative provisions such as the Banking Act and the Insurance Act.
The Singapore PDPA applies to all electronic and non-electronic communications involving the collection, processing or transfer of data within Singapore, irrespective of whether the company in question has an actual physical presence in Singapore. The PDPA empowers individuals to protect, access and correct their own data.
Organizations that collect, process or disclose this type of personal data must comply with the following requirements in Singapore:
Singapore and Malaysia also require that data not be transferred to countries with a lower level of protection for personal data.
Furthermore, the Singapore PDPA contains various regulations on the collection, use, disclosure and maintenance of personal data.
It also seeks to establish a national Do Not Call (DNC) registry in Singapore, on which individuals can register their telephone numbers to stop receiving unsolicited telemarketing calls from companies.
Southeast Asia’s economy is growing rapidly. Likewise, the digitalization of the population is increasing, which is why new regulations and standards are being established. If your company has economic ties to Southeast Asia, it is very important that you and your employees are familiar with the current regulations regarding personal data in the region.