The coverage of the recent Sephora and Capital One data breaches in the media highlighted an important point – countries enforce privacy acts in different ways. In cases where a data breach involves customers from another country, companies must pre-empt and prepare their response.
After the Sephora breach, the company notified consumers and the Singapore Personal Data Protection Commission (PDPC) in line with the Guideline to Managing Data Breaches 2.0 (released May 2019). According to the guide, firms must notify the PDPC when 500 or more individuals are affected or when the breach is likely to cause significant harm.
The Privacy Commissioner in Canada takes a different approach – it holds firms accountable for developing a framework to assess what qualifies as “real risk of significant harm” based on the sensitivity of personal information involved and the probability that personal information has or will be misused. This approach gives businesses more flexibility in determining when to notify the authorities and customers about a data breach. Moreover, Canada’s complaint-based mechanism means the Commissioner launches investigations based on consumer complaints.
The different approaches taken by regulators can be confusing for businesses. The two examples above show that companies need to apply different rules to data sets of consumers in different countries. Therefore, companies must evaluate varying regulation, develop internal protocols and train their employees to ensure they are able to quickly react to incidents and be compliant.
Asia-Pacific countries are at different stages of developing their privacy regulation. Singapore and the Philippines have already enforced data protection laws and Thailand has just passed its data protection act in May 2019. Meanwhile, both New Zealand and Indonesia are deliberating privacy bills this year. Business owners should note the scope of each privacy law.
For example, the extra-territorial scope of some laws may require a company that is based outside the country to still meet certain requirements as long as they process the personal data of the country’s residents. Take the appointment of data protection officers (DPO), for instance. If you process the personal data of consumers in five countries and each country’s law requires the appointment of a DPO, how do you manage those requirements? Another problematic issue is the storage of personal data. Some laws require personal data to be stored within national borders. If you host your servers outside the country, which is typical of most companies, how do you comply with the regulation and still have the ability to transfer data across borders?
Another issue is the friction between data privacy laws and other peripheral laws. Some laws may give authorities the ability to access data to aid in investigation or for matters that are related to national security. There might also be sectoral laws that impose additional restrictions on the storage of personal data. Businesses will need to evaluate all relevant laws and determine what the compliance rules they need to put in place are.
What if GDPR Penalties Become the Gold Standard?
The European Union’s (EU) General Data Protection Regulation (GDPR) is viewed by privacy proponents as the “gold standard”. Especially the GDPR’s high penalty of up to 4% of a company’s global annual turnover (or up to EUR 20 000 000, whichever is higher) for regulatory breaches has inspired other countries to do the same. For example, Australia plans to raise its penalties to deter companies from a relaxed attitude towards privacy.
As countries around the world review their existing data protection laws and deliberate new bills, companies are at risk of becoming subject to high penalties. Policymakers want to make businesses accountable for the data they hold. For this reason, it is important that companies engage with regulators and create a workable solution around accountability and data security.
Global Discussion on Cross-Border Data Flow
Although daunting, it is not all gloom and doom. Policymakers are aware of the importance of cross-border data flow and how it supports economic growth. Japanese Prime Minister Shinzo Abe proposed enabling the free flow of data across borders based on trust at the World Economic Forum in Davos and conversations continued at the G20 meeting in Osaka. Although diverging privacy laws are being developed globally, having a common baseline will help set the stage for a more productive approach towards cross-border data flows. A good common approach is one that ensures the protection of citizens’ personal data that is not too complex or costly for companies to adopt.
Perhaps it is beneficial to return to the basic principles of the Organisation for Economic Co-operation and Development (OECD) Framework which was developed to preserve the protection of personal data while enabling transfer of data across borders. One of the principles – security – is an issue for policymakers today, and both industry and policymakers need to have an in-depth discussion on the efficacy of different approaches in achieving this principle. Within Southeast Asia, there is an existing avenue where such discussions could take place. The ASEAN Personal Data Protection Framework provides a channel for member states to exchange good practices and information sharing. It would be useful if industry participates in such processes and shares expertise and past experiences in dealing with personal data security.
What Does This Mean for Businesses?
Taking these developments into account, businesses should regularly review their data protection practices and ensure they remain compliant. They should also determine the impact that diverging regulation on data access and data localisation will have on their business. Taking the initiative to start or continue conversations with the local and regional privacy community is the key to creating a privacy environment that protects customers without inhibiting the growth of business.
Author: Seha Yatim, Senior Policy Analyst, Access Partnership