Convergence of the rules and standards for cross-border data transfers in Asia

Background

Data protection and privacy laws have become a common feature of the legal landscape in Asia. However, significant differences exist between the data privacy laws enacted in different jurisdictions. Some are in the process of adopting such laws, while others have had bills pending for years, with no predictable outcome.

This complex environment is a source of business concern, in a context where multi-jurisdictional compliance is hard to achieve, enforcement is taking off, penalties for non-compliance are increasing and data protection and privacy regulators are setting up regional and international networks to support joint enforcement initiatives.

To address these concerns, ABLI is undertaking a multi-stakeholder project focusing on the key issue of the regulation of international data transfers in a selection of Asian jurisdictions (Project). The Project aims to propose actions that could achieve convergence in this area of law, based on feedback provided by stakeholders in the public and private sectors in the region.

The Project involves two phases:

  • Phase one: A mapping of the data transfer rules in certain Asian jurisdictions (see below).
  • Phase two: An examination of the output of the mapping exercise to propose policy options to governments and policy-makers and make suitable recommendations for the convergence of rules and standards on cross-border data transfers.

Conception

The Project was first raised on 21 January 2016 by the Honourable the Chief Justice Sundaresh Menon in his Key Note Address at the Doing Business Across Asia: Legal Convergence in an Asian Century conference held in Singapore. His Honour stated:

The second project could be aimed at the convergence of data privacy laws. This is an area that is ripe for policy and legal review and reform in this age of the Internet and smart businesses. The number of national data privacy laws in the world has grown exponentially since the first such legislation was passed in Sweden in 1973.1 Data privacy laws are now a common feature of the legal landscape in many countries but, in Asia, studies suggest that they are neither “universal nor … close to uniform”.2 This has been attributed to our different legal traditions and also to our diverse rates of development, policies and cultures. This could be earmarked as a subject that would benefit greatly from applied study. To that end, we have had preliminary discussions with similar institutes to collaborate in a joint project to draw up global principles on data privacy laws and we have thus far been met with considerable interest.

Phase one. Mapping the regulation of cross-border transfers of personal data in Asia

a. Selection of Jurisdictional Reporters

In July 2017, a team of 17 experts from 14 jurisdictions (Jurisdictional Reporters) were selected by ABLI to map the regulation of cross-border transfers of personal data in certain Asian countries (see "Jurisdictions" below). The experts comprise of experts from academia and practice.

b. Towards a shared legal ecosystem for international data transfers in Asia

On 7 February 2018, ABLI hosted at the Supreme Court of Singapore a forum titled Towards a shared legal ecosystem for international data transfers in Asia (Forum) for the purpose of discussing how to achieve a common Asian framework to share and transfer information across borders.

The Forum was attended by 90 individuals from 19 jurisdictions, comprising representatives from government, data protection regulators, industry and the legal community. Such a meeting was a first for Asia.

Further details on the Forum are available here.

c. Regulation of Cross-Border Transfers of Personal Data in Asia

In May 2018, ABLI launched its second publication in ABLI's Legal Convergence Series titled Regulation of Cross-Border Transfers of Personal Data in Asia (Compendium).

 

Regulation of Cross-Border Transfers of Personal Data in Asia
   Regulation of Cross-Border Transfers of Personal Data in Asia (softcover)
May 2018
by Clarisse Girot (editor)

Download the free pdf

 

The Compendium comprises 14 reports (Jurisdictional Reports) prepared by the Jurisdictional Reporters on the regulation of cross-border transfers of personal data in 14 Asian jurisdictions.

The first of its kind in Asia, the Compendium provides a holistic study of the regulation of data transfers in these different jurisdictions, which goes beyond a mere study of data transfer provisions in Asian data privacy laws to address the wider spectrum of issues that have an impact on the legal framework of cross-border data flows. It is designed for governments, data privacy regulators, law practitioners and industry, in Asia and beyond, to understand the scope, the operation and the implementation of regulations applicable to data transfers and data localisation requirements in the region.

Phase two. Options for further convergence

The Compendium acts as a springboard for the next phase of the Project, which will be devoted to the in-depth study of the differences and commonalities between Asian legal systems on these issues and, where feasible, the drafting of recommendations and/or policy options to achieve convergence in this area of law in Asia.

The issues covered in the second phase have been selected with input from the jurisdictional reporters, public and private stakeholders across the region, and based on recommendations of relevant international organisations.

The Project is currently in phase two.

Jurisdictions

The Project considers the regulations in the jurisdictions represented by ABLI's Board of Governors, other Asian and Oceanic jurisdictions which have cross-border controls in place and others Asian jurisdictions which are considering putting such controls in place. That is:

Contributors

Consistent with ABLI's Asia-centric focus, 88% of contributors are from ASEAN, East Asia and South Asia—with an additional 12% from Australia and New Zealand. Congruent with ABLI's aim of providing practical guidance, 71% of contributors are practitioners, with an additional 18% from academia and another 12% from a not-for-profit research and policy organisation. 

Project Lead and Editor

Dr Clarisse Girot
   Dr Clarisse GIROT is a Senior Research Fellow at the Asian Business Law Institute. Dr Girot was previously Counsel to the President of the French data privacy regulator, Commission nationale de l'informatique et des libertés (CNIL), and prior to that Dr Girot was head of CNIL’s department for European and International Affairs.

 

Jurisdictional Reporters

  1. Mr CAI Kemeng, Dentons Beijing Office (China)
  2. Mr Ken CHIA, Baker & McKenzie - Wong & Leow (Singapore)
  3. Mr David DUNCAN, Tilleke & Gibbins (Thailand)
  4. Mr JJ DISINI, Disini & Disini Law Office (Philippines)
  5. Katrine EVANS, Hayman Lawyers (New Zealand)
  6. Ms Elonnai HICKOK, Centre for Internet and Society (India)
  7. Associate Professor Kaori ISHII, University of Tsukuba (Japan)
  8. Mr Danny KOBRATA, K&K Advocates (Indonesia)
  9. Mr Justi KUSUMAH, K&K Advocates (Indonesia)
  10. Mr Peter LEONARD, Gilbert + Tobin (Australia)
  11. Professor Abu Bakar MUNIR, University of Malaya (Malaysia)
  12. Mr Kwang Bae PARK, Lee & Ko (Korea)
  13. Mr Mark PARSONS, Hogan Lovells (Hong Kong SAR)
  14. Ms Waewpen PIEMWICHAI, Tilleke & Gibbins (Vietnam)
  15. Ms Graça SARAIVA, Venetian Macau Limited (Macau SAR)
  16. Mr Amber SINHA, Centre for Internet and Society (India)
  17. Professor Fumio SHIMPO, Keio University (Japan)

Chronology

  • 26 September 2018, Regulation of Cross-Border Transfers of Personal Data in Asia is referred to by the Supreme Court of India in its landmark judgment on the constitutionality of India's Aadhaar system.
  • 23 July 2018, Project Lead, Dr Clarisse Girot, chairs the first session of the annual Asia Forum of the International Association of Privacy Professionals (IAPP) in Singapore
  • 5 June 2018, Project Lead, Dr Clarisse Girot, presents the lessons learnt from the Project at the 2018 Annual Forum of the Research Alliance for Data Governance and Cyber Security (DGCS-Alliance) in Beijing, China
  • June 2018, The publication of Regulation of Cross-Border Transfers of Personal Data in Asia is reported in Privacy Laws and Business International Review (Issue 153, June 2018, pages 20-21)
  • April 2018, The Project is mentioned in Hogan Lovells' Asia Pacific Data Protection and Cyber Security Guide 2018 as among the 3 key initiatives to watch in 2018
  • 28 May 2018, The publication of Regulation of Cross-Border Transfers of Personal Data in Asia is reported by the Australasian Lawyer and Tilleke&Gibbons.
  • May 2018, ABLI launches Regulation of Cross-Border Transfers of Personal Data in Asia
  • 7 February 2018, ABLI hosts Towards a shared legal ecosystem for international data transfers in Asia forum at the Supreme Court of Singapore
  • July 2017, ABLI's Board of Governors approves the Project
  • 21 January 2016, The Hon the Chief Justice Sundaresh Menon proposes the Project at the Doing Business Across Asia: Legal Convergence in an Asian Century conference held in Singapore

 

You might also like...

See ABLI's other projects.


  1. Graham Greenleaf, Asian Data Privacy Laws: Trade and Human Rights Perspectives (Oxford University Press, 2015) (Asian Data Privacy Laws) at pp 6–7

  2. Asian Data Privacy Laws at p 12.

Copyright © 2019 Asian Business Law Institute.

Asian Business Law Institute

1 Supreme Court Lane, Level 6
Singapore 178879

Main line: (65) 6332 4388

Email: info@abli.asia