There is no doubt that privacy laws in Asia have become very important to businesses operating in the Asia Pacific region. Here is a brief summary of the privacy laws of several jurisdictions in Asia:
1. Australia- Australia’s privacy law was first enacted in 1988. It has been modified twice since then, most recently in 2012. There is no provision for a data protection officer. However, under the Privacy Act, there is an obligation to follow or comply with the procedures set forth in the Privacy Principles, a set of privacy principles enacted with the 2012 amendments. Once of the most significant changes in the Australian Privacy Act was a provision extending the applicability of the privacy laws to cover overseas handling of personal information.
2. Hong Kong- Hong Kong was the second jurisdiction in Asia to adopt a comprehensive data privacy law. The law, called the Hong Kong Privacy Ordinance, was enacted in 1995. The Privacy Ordinance applies to both public and private sectors and protects private information of natural persons. Amended in 2012, the Privacy Ordinance regulates the use of personal information in marketing activities. Like Australia, the Hong Kong privacy law does not require the appointment of a DPO but it is recommended that companies appoint one.
3. India- India issued regulations in 2011 that implemented parts of the 2008 Information Technology Act. The 2011 regulations cover the protection of personal information. The regulations set forth how personal information may be used and collected by all organizations in India. Like Australia, the Indian privacy rules do not require the appointment of a DPO. There are however, limitations on cross-border transfer of private information but such limitations apply only to sensitive personal information.
4. Singapore- Singapore’s set of comprehensive data privacy laws known as the Personal Data Protection Act was enacted in 2013. The law governs the use, collection and disclosure of personal information by organizations in the private sector. Unlike, Hong Kong, Singapore’s privacy law requires appointment of a DPO and restricts cross-border transfers of personal information.
5. South Korea- Korea’s data protection law, the Personal Information Protection Act (PIPA) took effect in 2011. It governs the processing of personal information of natural persons by the public and private sectors. PIPA is the basic overall privacy law in Korea though there are other more specific laws covering privacy in certain sectors such as IT networks, use of credit information and electronic financial transactions. Like Singapore, organizations are required to appoint a DPO. The Korean privacy laws are quite strict and have significant data security requirements.
When it comes to doing business in Asia, one must be cognizant of the various privacy laws in the region and the obligations a company faces when using or collecting personal data. As you can see above, various jurisdictions have different views on the use,collection and disclosure of personal data.