With a range of new regulations, tools and projects underway, Information Governance ANZ were pleased to host a virtual forum with updates on the latest data privacy developments across the Asia Pacific region.
This interactive session was facilitated by Susan Bennett, Founder of InfoGovANZ and our special guests included:
- NZ Privacy Commissioner – John Edwards
- Senior Research Fellow, Asian Business Law Institute – Dr Clarisse Girot
- Director, Simply Privacy – Daimhin Warner
Commissioner John Edwards on the new NZ Privacy Act
New Zealand’s Privacy Act 2020 comes into force on 1 December 2020 and introduces new limitations on cross-border transfers.
Commissioner Edwards spoke about the new legislation and provided a brief history of the Act since 1993. It applies across the economy (both public and private sector organisations), is based on the 1980 OECD data protection principles and is technology-neutral. He noted the Act has remained largely unamended during the intervening decades.
New Zealand received an ‘adequacy ruling’ by the European Commission recognising that it provided an adequate level of protection to personal data of European citizens. In 2011 the Law Commission carried out a review and found the Act remained broadly fit for purpose, although some modernisation was recommended.
The new law comes into effect from 1 December. It includes some new obligations and policy initiatives, including mandatory breach notification. It sets quite a high threshold for harm criteria, to prevent “over reporting” which can undermine public confidence.
The Office of the Privacy Commissioner has released a reporting tool, Notify Us, to help organisations assess a breach situation and report appropriately. The tool was developed with a user-centred design approach, to enable assessment and reporting even if the user knows very little about the Privacy Act.
The Act includes a new principle, limiting general powers of disclosure for overseas data transfers. It is not considered a disclosure if data is simply stored or transmitted, for example in a software-as-a-service or hosted environment. Data must not be used or tracked by the IT service provider for their own purposes. As with GDPR, there is some extraterritoriality and the Act will still apply if the organisation is considered to be carrying on a business in New Zealand, even if the recipient is outside New Zealand.
To facilitate cross-border transfers of personal information, advice and model contractual clauses will be available from the OPC website, along with another tool to print out tailor made contracts.
The Commissioner can issue compliance notices, not fines – although there are criminal offences for impersonating an individual or destroying personal information that has been requested. He noted that updates to the Act are based on recommendations almost 10 years old, so there may be scope for further improvement, but the principles-based approach offers a reliable framework over time.
Daimhin Warner on how practitioners can prepare
Daimhin encouraged privacy practitioners to focus on preparing for cross border transfers, noting there are a few tricky issues to tackle for compliance. The old Act encouraged a ‘reactive’ approach, but the new Act required proactive due diligence.
For example, every entity in a group of companies is considered a separate organisation, so it’s important to manage the risk of disclosure in data that may be transferred within the group.
He noted it will not apply to a service provider or data processor in the majority of cases. Situations that will need more careful consideration may include health research organisations or law enforcement agencies, potentially sharing personally identifiable data with counterparts around the world. Principle 12 does not apply in ‘controller to controller’ transfers if required for public safety.
The Act requires consent to be expressly confirmed but this does not necessarily mean it is freely given. Where citizens are accessing a service provided by government they may have very little choice. Daimhin emphasised consent should always be a last resort.
At a macro level, it can be difficult to compare privacy protections in different jurisdictions and the legal landscape is constantly evolving. As such, regulators are reluctant to issue “white lists” of countries where data can be safely transferred.
Daimhin explained several key things for organisations to consider. He encouraged the use of model contractual clauses issued by the OPC.
He also recommended engaging a local privacy expert, based in the receiving country, to understand how a law is actually being implemented in practice.
Dr Clarisse Girot on the consequences of regulatory cooperation
Dr Girot discussed the interaction and interdependence of data protection laws and data transfer requirements across the region. She noted it is a very complex area of law with a lot of differences in requirements and coverage.
ABLI’s Data Privacy Project considers the convergence of regulations on cross-border data transfers in 14 Asian jurisdictions. It was selected from 850 applications showcased at the 3rd edition of the Paris Peace Forum in November 2020.
The project has produced a comparative table and analytical review of the differences and commonalities across these regulations. It aims to provide up to date information, accessible in English, to support data transfers within APAC and between APAC and other parts of the world.
Data protection laws increasingly include extra territoriality, which means companies may be subject to many laws at once. This is not just the case with GDPR but many existing and upcoming regulations in the APAC region.
There are also challenges of scope. Even when the laws look very much the same, entire parts of an economy or society may not be covered. This has huge implications for regulatory cooperation and assessing adequacy or levels of data protection in a destination country.
Data localisation is another issue attracting attention in APAC. A growing number of countries require data to be maintained onshore not just for privacy reasons but also for national security or digital sovereignty.
Provisions are mushrooming across the region, many inspired by GDPR or OEDC privacy guidelines. A few of the countries issuing new or amended privacy legislation include China, India, Thailand, Malaysia, Indonesia, Sri Lanka and Pakistan. So there is a lot of uncertainty.
Additionally, a recent case between the Data Protection Commission (Ireland) and Facebook (often referred to as Schrems II), raised questions about EU-approved data transfer mechanisms including Safe Harbour, Privacy Shield and standard contractual clauses.
The findings have wider implications globally, including in the APAC region, and may act as the catalyst for regulatory alignment around the world. The interdependence of data protection frameworks is now very apparent. Policy makers are renegotiating and updating standard contractual clauses.
Dr Girot outlined some mechanisms that can be used to promote interoperability, such as contracts, binding corporate rules, certification, codes of conduct and other accountability measures.
Recent surveys show that information governance is regarded as a key enabler for managing data protection and safe data transfers. This includes knowing where your data is held (including copies), lifecycle management, storage and disposal.
If you would like to listen to the full discussion you can access a recording of the session here.
Sonya Sherman is a member of the Information Governance ANZ advisory board member and Principal at Zen Information.
