An Exploration of Data Protection and Cybersecurity Developments in the Digital Economy Era :
How China, India, Vietnam and Thailand are keeping up with digital evolution
In today’s digital age, data protection and cybersecurity are becoming increasingly important world over. The Asian legal landscape, being no exception, is ushering in an enormous amount of change – with privacy laws anticipated, by the end of this year, to have grown by 25% since 2021.
With the rise of technology, sensitive data is being collected and stored at an unprecedented rate, making it vulnerable to cyber-attacks. This is especially true in countries like China, India, Vietnam and Thailand that are experiencing rapid growth in their digital economies. Here, we shine a spotlight on these countries and explore the latest changes and upcoming amendments to their data protection and cybersecurity laws and regulations.
China
With the ever-accelerating growth of technology, comprehensive data protection and cybersecurity laws in China have become crucial. In recent years, the Chinese government has implemented a number of changes to its laws in order to protect citizens’ personal information and ensure that companies are compliant with international standards, such as the European Union’s General Data Protection Regulation (GDPR). These changes include new regulations on data collection, storage, usage and cross-border data transfers; increased penalties for violations; and improved enforcement mechanisms.
In 2021, China enacted its comprehensive data protection “rulebook”, the Personal Information Protection Law (PIPL) which, while neither as prescriptive nor as detailed as the GDPR, imposes strict requirements on companies that collect and use personal information, and gives individuals greater control over their own data. For example, under the PIPL, individuals have the right to request that companies delete their personal information, and companies must obtain consent from users before sharing their data with third parties.
Since the implementation of this law, authorities in China have endeavoured to develop the measures necessary to implement its provisions, such as those related to data breach notifications and cross-border data transfers.
In order to transfer personal information to a party outside of China, PIPL requires that one of three conditions be met by a “personal information handler” (similar to a “controller” under the GDPR) :
- That a security assessment be undertaken by the Cyberspace Administration of China (CAC) and passed;
- That a contract in the standard form given by the CAC be concluded with the party outside of China; or
- That a personal information protection certification by a specialised agency as per CAC requirements be conducted.
On 1 September 2022, implementing rules for such security assessments were effected, which are mandatory for certain transfers such as the export of personal information by a controller that processes the personal information of over one million individuals; or the export of deemed “important data” by a controller which through falsification, destruction, leakage, or illegal obtaining or use may endanger inter alia national security, economic activity, social stability or public health.
On 24 February 2023, the CAC released the final form of the Personal Information Export Standard Contract (the standard contract above, similar to that under GDPR) together with Measures on the Standard Contract, which will both take effect on 1 June 2023. Final form specifications for security certifications were released by the National Information Security Standardisation Technical Committee in June 2022 with further revisions released in December 2022.
Mark Johnson, Partner, Debevoise & Plimpton – Hong Kong
New regulatory landscape such as this may prove minefield territory, even for the most astute businesses. Mark Johnson, Partner, and Philip Rohlik, Counsel, of Debevoise & Plimpton LLP’s Hong Kong and Shanghai offices, respectively, highlight one key change that companies in Asia should be aware of :
“International companies doing business in China need to be aware of the blocking provisions in China’s PIPL and Data Security Law (DSL). These prohibit providing PRC data to foreign criminal or judicial authorities, except through international treaty mechanisms.
Philip Rohlik, Counsel, Debevoise & Plimpton – Shanghai
“In the case of the PIPL, non-compliance can potentially subject companies to significant penalties. Even the most compliant international companies transfer data between offices in the ordinary course, for example through internal emails or shared systems. Once data is transferred, it is located abroad.
“Companies facing judicial or regulatory inquires abroad will need to determine what relevant data is in China and what is stored outside of China at the time of the foreign request. Only after determining where the potentially relevant data is, can companies determine how best to negotiate with the foreign authority and navigate any conflicts between PRC and foreign law,” Johnson and Rohlik explain.
International companies doing business in China need to be aware of the blocking provisions in China’s PIPL and Data Security Law (DSL)
India
India has also been taking steps to strengthen its data protection and cybersecurity laws in recent years, although it has not been an easy stroll. In 2019, India passed the comprehensive Personal Data Protection Bill (PDPB) which aimed to establish a comprehensive framework for data protection in India, and would require companies to obtain consent from users before collecting and using their personal information.
On 3 August 2022, however, India withdrew the beleaguered Bill which had already seen over 80 amendments and 12 recommendations after consideration by the Indian Parliament. The withdrawn Bill raised concerns over the management of sensitive information and the scope of access to data by the Indian Government.
A scaled back and less prescriptive proposal, the Digital Personal Data Protection Bill (DPDP) was later published on 18 November 2022. It is expected to include a similar framework for data protection (largely in line with GDPR) for legislative approval with detail to be given in further implementing regulations.
Notable changes from the previous version of the bill include amendments to penalties for non-compliance and the removal of the contentious data localisation requirements found in the PDPB
The DPDP, in its current form, would add to the growing body of privacy laws in the region that apply extraterritorially. It includes extraterritorial application to entities processing information outside of India should this involve the profiling of data subjects in India or the offering of goods and services in India.
Notable changes from the previous version of the bill include amendments to penalties for non-compliance and the removal of the contentious data localisation requirements found in the PDPB.
Under the PDPB, companies that failed to comply with its strict requirements could face fines of up to 4% of their global revenue. The DPDP, however, caps fines to be levied against a data fiduciary to approximately US$62 million.
With regards to localisation, rather than requiring entities to store collected data in India, the revised Bills provides for Government to rather assess the data protection regimes of different countries and thereby confirm whether transfer to such countries is allowable.
After being subject to public consultation until early January of this year, the DPDP will now undergo the same legislative process of its unsuccessful predecessor, hopefully with more successful ends. Given the Bill’s framework approach with a focus on core privacy requirements similar to most privacy laws globally, it may be in for a smoother ride.
Vietnam
Vietnam, considered one of the fastest growing digital economies in Southeast Asia, has been focusing on strengthening its data protection and cybersecurity regulations in recent years.
Indicative of this commitment, the government launched its National Digital Transformation Program by 2025, with an orientation to 2030, which includes a range of initiatives aimed at promoting the digitalisation of business, administration and production activities to improve efficiency and competitiveness.
Waewpen Piemwichai, Senior Associate, Tilleke & Gibbins – Hanoi
Data protection and security provisions have, until now, been particularly fragmented in the country, with applicable provisions located in numerous laws and decrees. We spoke with Waewpen Piemwichai and Trung Bao Tran of Tilleke & Gibbins about Vietnamese data protection laws and they state that big changes are, however, starting to take shape:
“There has been a major overhaul of Vietnam’s data protection laws, notably with the development since 2021 of the landmark Personal Data Protection Decree (PDPD) by the Ministry of Public Security. This Decree, once in effect, will be the very first comprehensive regulation on data protection in Vietnam.”
The PDPD was recently issued on 17 April 2023, following extensive public consultations and numerous rounds of reviews since its first release in draft form in February 2021. It is set to take effect on 1 July 2023 without a transitional period.
Trung Bao Tran, Associate, Tilleke & GibbinsHo Chi Minh City
In a recently released article on the subject from Tilleke & Gibbins, Piemwichai and Tran report that the PDPD sets out significantly new requirements on the processing of personal data, the most critical provisions of which include:
Eight principles for the processing of personal data, being lawfulness; transparency; purpose limitation; data minimisation; accuracy; integrity, confidentiality and security; storage limitation; and accountability.
- New definitions and concepts, particularly including personal data; sensitive data; data subject, data controller, data processor, and data controller-processor; third parties; and cross-border transfer of personal data.
- Eleven data subject rights, including the rights to know, to consent, to withdraw consent, to access, to delete data, to restrict data processing, to object to data processing, to request the provision of data, to claim compensation for damage, to self-defence, and to complain, denounce and initiate lawsuits.
- Conditions for cross-border transfer of personal data, including a transfer impact assessment and post-transfer notification to be sent to the Department of Cyber Security and Hi-Tech Crime Prevention of the Ministry of Public Security.
- Processing of children’s personal data.
- Cases where personal data can be processed without consent.
- Measures to protect personal data in general, basic personal data and sensitive personal data, the latter of which includes assigning a data protection officer.
Piemwichai and Tran predict far-reaching implications across virtually all business operations in Vietnam. When asked about key areas of data protection laws in Vietnam that in-house counsel in Asia should be aware of to remain compliant, they gave this advice:
“The PDPD proposes a great number of requirements that do not exist in current laws. It is quite easy for companies to omit these new rules (or some details of them) since they have never had a compliance mechanism in place. Some critical new rules include:
- The principle of data minimisation (proportionality), according to which personal data collected must be limited to only what is necessary to accomplish the specified purposes.
- The new GDPR-like concepts of “data controller” and “data processor” that define responsibilities of participants in a data processing operation more clearly.
The Draft PDPD has proposes a great number of requirements that do not exist in current laws. It is quite easy for companies to omit these potential new rules since they have never had a compliance mechanism in place
Consent for personal data processing must be expressed in writing with a printable and reproducible format. Silence by data subjects is completely ruled out as a valid form of consent. Other conditions of consent include that it can be made partially and conditionally, and withdrawn at any time by the data subject.
- A privacy notice with mandatory details about the data processing operations must be sent to the data subject.
- There are a number of instances where the processing is exempted from consent, but must satisfy other lawful processing bases.”
To best prepare for compliance, Piemwichai and Tran recommend that companies start a thorough review of the now issued PDPD, compiling a checklist of all regulatory requirements, and performing a comprehensive compliance gap analysis.
With the ongoing evolution of technologies such as artificial intelligence, we further asked Piemwichai and Tran whether they anticipate any additional development of data protection laws in Vietnam in relation to these technologies in the coming years.
“The implication these new technologies may have on data privacy has not yet become an alarming issue in Vietnam,” they reassured. “At this stage, Vietnam is focusing on the development of fundamental
privacy rules under the PDPD to deal with more rampant violations like unauthorised data collection and processing, and illegal data trading.”
They do note, however, “that the Ministry of Public Security has a plan to develop a Personal Data Protection Law in 2025. Privacy issues relating to the use of new technologies may be taken into account in the preparation of this law if they become a critical concern by then.”
Thailand
Privacy laws in Thailand are growing stronger with the Personal Data Protection Act (PDPA) coming into full effect on 1 June 2022 together with the subsequent introduction of multiple guidelines.
The PDPA is the first comprehensive data protection regulation in Thailand and is similarly highly influenced by the GDPR in its key principles. With extraterritorial applicability, it covers entities collecting personal data outside of Thailand if this processing involves the offering of goods and services in Thailand.
Guidelines have included the Guideline on Requesting Consent from the Data Subject under the Personal Data Protection Act B.E. 2562 (2019), released on 7 September 2022, which delineates requirements for obtaining valid consent from individuals; and the Guideline on Procedures for Notifying the Purpose and Details relating to the Collection of Personal
Data from Data Subjects which outlines the principles for providing notice to a data subject regarding how their personal data will be processed.
The Office of Personal Data Protection Committee (OPDPC) undertook a public hearing in 2022 which ran until 24 October regarding its draft notification to supplement the PDPA on cross-border transfers of personal data outside of Thailand. It adopts the GDPR approach and lays out requirements regarding binding corporate rules and other safeguard measures.
Just before the rolling around of 2023, on 15 December 2022, the Notification of the Personal Data Protection Committee Re: Criteria and Means on Personal Data Breach Notification was published and took immediate effect. This notification provides more expansive details on the obligations of key data controllers concerning notifications of personal data breaches, building upon the PDPA’s requirements. This includes details on what to notify for, what to do (e.g. to first inspect and assess the level of risk, to notify the OPDPC without delay and within 72 hours, and to notify the data subject if the risk is high). It also covers required minimum details to be notified (including descriptions, impacts, mitigating measures and contact details).
Data controllers have been given concessions to continue processing personal data collected before 1 June 2022 should the purpose for which the data was collected remain the same, however, they must publicise a method for consent withdrawal and notify data subjects of this option to opt-out. Beyond this, data handlers had best familiarise themselves with the updated provisions as penalties for failure to comply may incur civil liabilities, criminal penalties (including imprisonment) or administrative fines.
Regarding cybersecurity, Thailand’s National Cyber Security Agency plans to expand the enforcement of its standard framework of security requirements. By the end of 2023, 120 organisations stipulated by the Cybersecurity Act (up from 60) will be required to comply with the framework.
Change the only constant?
Data privacy and cybersecurity laws and regulations globally are constantly evolving, as illustrated in this exploration of recent developments in China, India, Vietnam and Thailand. Some common threads emerge as many countries follow in GDPR footsteps with other similarities, such as localisation and extraterritorial applicability, emerging as regional trends.
This article did, of course, tour only 4 jurisdictions. Change is rife elsewhere, too. Just at the end of March, the Saudi Arabia Council of Ministers approved a series of changes to the Kingdom’s own Personal Data Protection Law (issued in 2021). While pushing the effective date of this law out to September 2023, these changes also align the law more closely with GDPR and international standards.
As the digital economy continues to grow, it is essential for businesses to stay up-to-date with latest developments in data privacy and cybersecurity laws to ensure not only that their data is secure but that they avoid penalties by remaining compliant with the ever-growing web of international regulation.
This article was published in the April 2023 issue of the IHC Magazine. To read more articles from the issue, click here
