New Data Protection Regulations in Asia Demand Compliance from Corporate Legal and IT Teams

Abdeslam Afras

Jun 07 2017

More than 60 percent of C-suite executives at Asia-based companies believe that compliance and adapting to new regulations is the biggest challenge facing their businesses this year, according to Baker McKenzie’s Asia Pacific Business Complexities Survey 2017. When asked what the major focus of their industry would be over the next two years, 76 percent of respondents cited regulatory change.

Gary Seib, partner and Asia Pacific chair at Baker McKenzie, observed that a key driver of this executive concern is related to the emergence of new laws created to regulate a growing digital economy in Asia. “With increasing digitization, privacy issues, data transfer and intellectual property disputes are clearly on the rise,” Seib told Legaltech® News.

Data protection laws have been a mainstay of discussion in North America and Europe over the past few years, but of no less consequence is the implementation of new laws in Asia that change the way data must be handled and transferred in Japan and China.

On May 30, 2017, a series of amendments to the Act on the Protection of Personal Information (APPI) in Japan went into effect. The Personal Information Protection Commission in Japan identified three key areas of focus for the changes: (1) Clarification of the definition of “personal information”; (2) Recognition of the appropriate use of “Big Data” while protecting personal information; and (3) Rules about cross-border data transfer.

Alston & Bird’s Privacy & Data Security Blog notes there are several important statutory elements in the new data protection regime that will require strict compliance by companies doing business in Japan:

• Data collection and use requires enterprises to disclose the “purpose of use” prior to data collection and secure individual consent;
• Data storage and safeguarding requires various security measures and third-party management to prevent unauthorized access to personal data;
• Data disclosure requires organizations to obtain specific consent for information sharing, imposes new audit and retention requirements, and establishes restrictions on cross-border transfer; and
• Businesses must respond in specific ways to individuals’ requests and complaints, such as allowing individuals to correct or delete personal data when such data is inaccurate.

Meanwhile, on June 1, 2017, the People’s Republic of China implemented its comprehensive new Cybersecurity Law. Among other things, the new law requires that foreign companies conducting business in China must store any data pertaining to Chinese citizens on servers within the country’s mainland—an aggressive policy to protect sensitive privacy data or state secrets. This is serious business: organizations that fail to comply face severe financial penalties, possibly including the loss of their ability to conduct business in mainland China.

The National Association of Corporate Directors (NACD) published an excellent analysis of the new law, identifying three central aspects that have the “greatest potential to affect multinational companies doing business in China”:

• Data localization requires that “critical information infrastructure” (CII) operators store personal information and other important data they gather or generate in mainland China be stored in mainland China. CII operators must have government approval to transfer this data outside the mainland if it’s “truly necessary.”
• Support for Chinese security authorities requires “network operators” to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations. Network operators may include anyone operating a business over the Internet or networks.
• Certified network equipment and products must meet national standards and pass inspection before they can be sold or supplied in China. CII operators are also required to undergo a “national security review” when purchasing network equipment or services that may affect national security.

The new Cybersecurity Law places the onus on companies that conduct business in China—regardless of whether or not they have a physical presence in the country—to review their data protection policies and ensure compliance.

Data protection laws in Asia are changing, with regional leaders China and Japan amending their regulations this year to address emerging issues regarding data privacy and cybersecurity. It’s essential for corporate legal and IT teams to review their organization’s current data protection policies to ensure compliance.

# # #

About the Author
Abdeslam Afras is vice president of international markets at AccessData, where he is based in the company’s Frankfurt office. Afras has 25 years of experience in business-to-business information technology and has served in the international markets division for AccessData since 2010.

Contact us today to learn more about our products and our
approach to improving how you collect, analyze and use data.
Tell Me More