Understanding the laws backing data and privacy protection for 1.8 billion Asian users
The Internet is big business in Asia. Home to four of the world’s five most populous countries, the region is a robust market of people who are yet to join the Internet and start building their digital footprint.
Accounting for over 50% of the world’s Internet users, penetration in the region is almost touching the global average, as Asian countries pick the digital pace up.
For instance, South Korea is a world leader in 5G adoption, India aims to provide digital infrastructure to all under its 2015 Digital India initiative, and Malaysia has kick started its National Fiberization and Connectivity Plan in 2019 to improve its broadband connectivity. Asian economies have been rapidly adding new Internet users, with numbers steadily climbing up from 764.4 million users in 2009 to 2.3 billion in 2019.
That’s 2.3 billion people in Asia alone, the largest pool of Internet users worldwide, whose data and privacy now need to be protected. Of this, over 1.8 billion, or 78%, are from China, India, Indonesia and Japan. As Asia continues connecting more people to the Internet, here’s a snapshot of the data protection and privacy laws in the four biggest Asian Internet economies.
With 854.5 million Internet users, China will have the right to privacy and personal data protection immortalized in three key pieces of legislation that are being discussed this year. Of these three, the Standing Committee of the National People’s Congress (the Chinese legislature) published a draft of what could be its first ever law on data protection on July 2, 2020 and has welcomed public comment on it.
Under the draft Data Security Law, the Chinese state puts strong emphasis not only on how it aims to safeguard the security of data, but on utilization as well, suggesting fines of up to RMB 1 million, in addition to criminal liabilities, for violation of the law, applying to actors within and outside its borders.
The draft makes broad promises but has several loose ends it will need to tie up. For instance, Article 22 notes that activities that may affect national security will undergo a State review. It fails to specify what these activities could be. The Chinese state is also expected to produce a draft of the Personal Information Protection Law.
The law is expected to focus on personal privacy rights, and coupled with the Data Security Law (which leans more toward national security), aims to make for strong data rights and security legislation, according to reports.
Moreover, China recently passed its first Civil Code, which is reportedly expected to come into force on January 1, 2020, and has several implications for personal privacy. It provides for the right to privacy, and protection of their personal information, calling for transparency and security in the processing of personal information.
Protection of personal information was erstwhile regulated by the Cybersecurity Law 2016 which made it mandatory for network owners and service providers to protect personal information and follow cybersecurity practices. It defines personal information as all kinds of information, recorded electronically or through other means, that can determine the identity of natural persons independently or in combination with other information, according to a KPMG report.
The Civil Code does not divert from this definition, but goes a step further in defining privacy as well, which it defines as “peace in a person’s private life and private space, and in activities and information that the individual does not wish others to know,” [according to a Lexology report. The report, however, also notes that while the Civil Code recognizes privacy as a personality right of a person, it does not recognize personal information as the same, pointing to a hole that perhaps the Personal Information Protection Law may have to fill.
For a country that will be contributing significantly to the Internet’s next billion users, India’s 687.6 million users may have a lot to gain from its Personal Data Protection Bill.
However, apart from the Bill, which is yet to be passed by the Indian Parliament, data protection is governed haphazardly on the subcontinent. Constitutionally, every Indian citizen is guaranteed the right to life and liberty under Article 21, which the Supreme Court of India extended to cover the right to privacy as well in a landmark judgment in 2017.
While laws such as the Information Technology Act 2000 incidentally and superficially touch upon data protection, the Personal Data Protection Bill, if passed, would become the subcontinent’s first and only dedicated legislation to privacy and data protection. The Bill was introduced in 2019 and referred to a Parliamentary committee which is yet to announce its final comments on the Bill.
The Bill makes privacy a fundamental right and aims to “promote the concepts such as consent framework, purpose limitation, storage limitation and the data minimization.” Moreover, the Bill imposes monetary penalties for violation of its clauses, and introduces a criminal liability on the re-identification of anonymized data.
Interestingly, the Bill provides for the right to be forgotten as well. The right to be forgotten allows individuals to withdraw consent and halt the use and disclosure of their personal information. Another point to note about the Bill is its definition of social media intermediaries, which the bill defines as “primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.”
The purpose of making this a part of the Bill is unclear, and it exempts business-oriented players, those providing access to the Internet, and others such as search engines, online encyclopedias, Email, or online storage services. Clearly, Google is in the clear here.
Those identified as significant social media intermediaries by the Indian State must allow users to voluntarily verify their accounts. This will most likely require users to share more information than they may want to with social media platforms, contrary to the general attitude of the Bill, which stresses consent and data minimization.
The Bill has also come under fair criticism for the sweeping powers it gives to the Indian State to be exempt from the applications of the Bill. The Bill also allows for data to be transferred outside India, subject to certain conditions.
In late January this year, Indonesian President Joko Widodo submitted a draft of the Personal Data Protection Bill to the Indonesian Parliament, marking the island nation’s first possible law on data protection and privacy.
This would make Indonesia the fifth Southeast Asian country to have laws on data protection, an official statement said. With 175.4 million users in the country, it would also make Indonesia the biggest Southeast Asian Internet economy to do so.
“This law is on the one hand to maintain data sovereignty, and on the other hand also to ensure that opportunities open to innovation and business are friendly,” Minister of Communication and Information Johnny G. Plate said at a press conference. Plate also noted that the bill would cover four key aspects of data protection, namely, matters pertaining to security and sovereignty, ownership of data, verified user data, and cross-border data flow, and would be applicable to overseas Indonesian citizens as well.
Prior to the Bill, Indonesia too did not have a dedicated law on data protection, and the issue was covered incidentally by sundry laws such as the Electronic Information and Transactions Amendment of 2008. The draft Bill stipulates that personal data can be acquired only with the explicit consent of the person concerned, and for purposes agreed to by them. It also prohibits the trading of data, and makes unauthorized use of personal data a punishable offense.
Anonymized, or de-identified data, also comes under the gamut of the draft Bill, which Indonesian business lobbies are already arguing against on the basis that it can be detrimental to business. Moreover, the draft Bill provides for 11 rights, including the right to withdraw consent, and the right to restrict processing of their data. The Bill is not without its criticisms, however. For instance, while it suggests that data be held only for a “retention period”, following which the data must be erased, but it does not shed light on how long such a retention period should be.
Further, it also reportedly fails to provide clarity on equal sanctions for data misuse by public or private bodies, and has not provided a clear view of what would constitute an independent data protection authority.
With 116.5 million Internet users, and an Internet penetration rate of 93.8%, Japan is one of the most successful Internet economies in Asia. It is also one of the earlier adopters of data protection regulation with its Act on the Protection of Personal Information 2003, which was revamped in 2015.
The amended version of the Act came into force in May 2017, and a second amendment was approved in June this year. The Act is applicable to all businesses that use personal data of persons located in Japan, but exempts governments and government agencies, and the latest amendment is expected to come into force by June 2022.
Owners of data have the right to know the purpose and means for the processing their data, can choose to withdraw, or delete it, and can also sue businesses who do not respond to their Act-related requests within two weeks, among other provisions of the Act. Of the four countries discussed in this article so far, Japan possibly has the most straightforward and clear legislation on the protection of personal data, as the other three countries have only recently started legislating around privacy and personal information.
Under the newly amended Act, people can ask to delete their data or discontinue its processing or transfers, in addition to asking for disclosure of transfer records. Such rights were previously applicable when data was to be retained for six months or more. However, the amendment has removed this limit on the retention period, and these rights now apply to all personal information.
Businesses are also now mandated to notify both users as well as the Personal Information Protection Commission (PPC) of Japan of some data breaches, although the circumstances of such instances are not clear as yet.
The Act exempts business operators who work with anonymized data or ‘pseudonymized’ data (data that can lead to identification only when paired with other information) from certain obligations under the Act.
It also puts obligations of consent and disclosure to data subjects in case of third-party transfers of data, although the transfer of pseudonymized data to third-parties is prohibited by the Act. Moreover, violation of the Act can result in a jail term of up to a year, and a fine of up to US$933,000.
Clearly, data and privacy protection is a deeply nuanced issue with wide implications, especially because Internet economies are built almost entirely on data. To address this adequately, policymakers, civic bodies, businesses and individuals need to grapple with core issues of how much and what kind of data is reasonable to use, who can be trusted to use it, and what constitutes the privacy of individuals.
The bigger contention for individuals is to make well-informed decisions on what data they consider safe to give out, and what they would like to keep to themselves. Drawing these boundaries involves a careful assessment on the individual’s part, of what kind of products or services they would like delivered to them, how deeply they understand data monetization and localization, and what their nationalistic priorities are.
Such an assessment is a long process of research and debate, and knowing the laws of the land is probably the second-most important dimension of getting there. The first, is to recognize that people deserve control over their information, and should have a say in how it is treated.