By Kevin Shepherdson
Growing threats from cybercriminals as well as unscrupulous businesses have seen governments around the world enact digital privacy legislation, but which region provides the most robust protection? Kevin Shepherdson, CEO and Founder of Straits Interactive, investigates
Personal data is an extremely important part of daily life, not to mention businesses and the global economy. To ensure the personal information of individuals by organisations is used correctly, data protection and privacy laws have taken a prominent position in a growing number of jurisdictions worldwide. The most recent addition, as of 1 November 2021, is China’s Personal Information Protection Law (PIPL).
As we prepare for whatever challenges 2022 brings, let us look at these privacy laws in place around the world, and how they compare to one another in terms of the protection they bestow on individuals and businesses.
Key themes of the GDPR
The European Union’s General Data Protection Regulation (EU GDPR) is undoubtedly the reference standard for ASEAN data protection/privacy laws as it is considered to be one of the most comprehensive laws in the world.
The following are some of the key themes of the GDPR:
Social concerns: EU lawmakers have been concerned with the social impact of using personal data for profit. For instance, the GDPR promotes the fair and ethical use of artificial intelligence relating to personal data processing, which calls for trust and accountability. When AI systems process personal data, for example in profiling and automated individual decision-making, the GDPR has provisions that call for individuals to be informed about such personal data processing and even be able to object to it.
Human rights: In general, the GDPR allows individuals to be informed about the processing of, have access to, rectify, restrict the processing of, erase, and dictate the portability of their personal data.
Cross-border transactions/data flows: The GDPR calls for restrictions on the transfer of personal data outside of the European Union, to third countries or international organisations, to ensure that the protection of the individual is not undermined.
EU, ASEAN, US data protection/privacy legislation
In the table below, we can see the comparison between the GDPR and the several different ASEAN data protection/privacy laws.
EU | SG | MY | PH | TH | ID |
Lawfulness of processing with stricter consent requirements | ✔ | ✔ | ✔ | ✔ | ✔ |
Sensitive data / Special categories | NRIC | ✔ | ✔ | ✔ | ✔ |
Requirements for DPO | ✔ | ✔* | ✔ | ✔ | ✔ |
Stricter requirements for processors | ✔ | ✔* | ✔ | ✔ | ✔ |
Data Protection Impact Assessment | Recommended | Recommended
|
Recommended
|
Recommended
|
Recommended |
Data Protection by Design | Recommended | Recommended | Recommended | Recommended | Recommended |
Data Breach notification | ✔ | Recommended | ✔ | ✔ | ✔ |
Records of processing (*INDO, TH) | Best practice | Best practice | Best practice | ✔ | ✔ |
Extra-territorial application (*PHI, TH) | N/A | N/A | ✔* | ✔ | N/A |
Table from Data Protection Excellence (DPEX) Network
As can be seen above, there are many similarities between the various countries’ laws. This is most likely due to the fact that the concept of personal data protection encompasses the collection, use, and storage of personal information, as well as the disclosure or transfer of that data.
It can also be seen that some of the GDPR’s key principles have been influential on ASEAN data privacy laws. However, countries will adapt and create versions of these laws that best suit the interests of their jurisdictions.
Table extracted from Varonis: https://www.varonis.com/blog/us-privacy-laws/
An example of this is that the US states do not have one single law that they and organisations have to comply with. Nevertheless, some states have their own law protecting the personal data of consumers. For example, California has the Californian Consumer Privacy Act (CCPA). In the table from Varonis below, is a comparison of the EU’s GDPR and California’s CCPA, proving there are similarities and differences in laws depending on their interests.
Between the GDPR and CCPA, there are some similarities with regards to the right to erasure, the right to be informed, the right to withdraw consent and object, the right to access, and the right to data portability.
Table extracted from Varonis: https://www.varonis.com/blog/us-privacy-laws/
Operating with different legislations
Even though the data privacy/protection laws seek to protect consumers’ personal data, there are also differences according to the countries. Therefore, it is essential for organisations that have operations across the globe to understand the requirements of the local data privacy laws and adjust their management programme (DPMP) and practices accordingly. In the absence of compliance, organisations risk falling foul of the law and even being fined by data privacy/protection regulators in countries like the European Union or Singapore.
Data breaches have caused great concern amongst consumers and are making them increasingly aware of the importance of their personal data protection, and they expect the organisations to safeguard their data and to use it only as agreed. Hence, a reliable data privacy/protection management programme is a competitive and necessary advantage for businesses to assure consumers that they can be trusted with their sensitive information.
Kevin Shepherdson is the CEO and Founder of Straits Interactive, a data privacy consultancy and training provider, based in Singapore. To learn more, please visit Straitsinteractive.com.