Thursday, May 17, 2012

Data Protection rules emerge slowly in ASEAN

Data privacy rules in South East Asia are just starting to appear. The Asia-Pacific Economic Cooperation (“APEC”) group created APEC Cross-Border Privacy Rules (“CBPRs”) system last November 2011. A Data Privacy Subgroup will begin to develop the structure for implementation in 2012. The 10 member Association of South East Asian Nations (ASEAN), not all of who's members are in APEC has committed by 2015 (the timeframe to form the ASEAN Economic Community, an ASEAN version of the EU) to harmonise data protection rules separately. 

The goal is to cut cross-border trade barriers which prevent companies from sharing data, vital in the modern commercial world. There is already a significant outsourcing industry in the Philippines. Regional financial and consumer goods companies, MNC employers, online commerce and social media services all need to hold and transmit data. But individual rights are being protected increasingly given most ASEAN countries are now democracies.

A Roadmap for Integration of the e-ASEAN Sector and the Strategic Schedule for the ASEAN Economic Community seek to adopt best practices and rules on many cyber law issues ( such as data protection and ISP liability) to support regional e-commerce.

Meanwhile several embryonic national laws have appeared as follows -

Indonesia has a Law on Information and Electronic Transactions, with a
single clause creating liability for misuse of electronic private data.

Malaysia's Personal Data Protection Act of 2010 remains unimplemented yet. The appointment of a Data Commissioner is the current stumbling block. 

The Philippines has the Data Protection Act of 2011. However this is in 2 forms, from its 2 parliamentary houses, now the drafts need to be reconciled before the president can sign it into law. Of vital importance is the purported exemption for outsourcing of foreign personal data, which the nascent outsourcing industry centre in the Fort Bonifacio area of Manila needs. Much depends on whether this is acceptable to EU and US authorities.

Thailand has a draft Privacy Bill not yet enacted. 

Vietnam has a Law on E-Transactions with a few clauses about data security and communications, but geared more to their purpose in transactions.

Singapore has a draft Personal Data Protection Bill under public consultation. The principles are to OECD standard and cover access, correction, data quality, security, notice and deletion/de-identification. However, it does not have specific provisions restricting data exports  or special protection for sensitive data; nor any exceptions.

Brunei, Laos, Cambodia and Myanmar have no provisions yet.

As national laws come into effect we shall see the start of compliance studies, so we can understand whether the rules do operate effectively to remove barriers, and their impact on the new IT industries in the region. A full regional set of rules however will follow and how they interact with national laws will cause yet more work for IT lawyers. 

No comments:

Post a Comment