Kevin Shepherdson, CEO and founder of Straits Interactive
The digital age has made personal data the lifeblood of economies, as people share data and information practically daily. Data protection and privacy laws have been developed to safeguard the personal information of individuals and organisations. The most recent, and most significant addition, is China’s Personal Information Protection Law, which was enacted on 1 November 2021.
With various data privacy/protection laws in place across the world, how do they compare in terms of the privacy and protection of personal data?
With the threats becoming more significant with each passing year, we decided to take a closer look at some of the most prominent and established data privacy/protection laws, the similarities and differences, and what this means for businesses operating in these jurisdictions.
Key themes of the GDPR
The European Union’s General Data Protection Regulation (EU GDPR), first adopted in 2016, is the de-facto reference standard for ASEAN data protection/privacy laws.
The following three of the key themes of the GDPR:
Social concerns: The social impact of personal data is of particular interest in the EU. GDPR promotes fair and ethical use of AI in data processing, calling for trust and accountability.
Human rights: GDPR gives individuals the right to be informed about their personal data, and the ability to rectify and restrict processing, including erasing their data.
Cross-border transactions/data flows: GDPR calls for restrictions on the transfer of personal data outside of the EU, to ensure that the protection of the individual is not undermined.
EU, ASEAN, US data protection/privacy legislation
In the following table, we can see the comparison between the GDPR and the various ASEAN data protection/privacy laws.
EU SG MY PH TH ID Lawfulness of processing with stricter consent requirements ✔ ✔ ✔ ✔ ✔ Sensitive data / Special categories NRIC ✔ ✔ ✔ ✔ Requirements for DPO ✔ ✔* ✔ ✔ ✔ Stricter requirements for processors ✔ ✔* ✔ ✔ ✔ Data Protection Impact Assessment Recommended Recommended Recommended Recommended Recommended Data Protection by Design Recommended Recommended Recommended Recommended Recommended Data Breach notification ✔ Recommended ✔ ✔ ✔ Records of processing (*INDO, TH) Best practice Best practice Best practice ✔ ✔ Extra-territorial application (*PHI, TH) N/A N/A ✔* ✔ N/A
Table from Data Protection Excellence (DPEX) Network
There are many similarities, due to the concept, and it can also be seen that some of the GDPR’s key principles have been influential on ASEAN data privacy laws. Countries will create versions that best suit the interests of their jurisdictions.
Operating with different legislations
Despite the fact that the data privacy/protection laws seek to protect consumers’ personal data, there are also differences according to the countries. Because of this, it is essential for organisations that have various operations across the globe to understand the requirements of the local data privacy laws and adjust their data privacy/protection management programme (DPMP) and practices accordingly.
Data breaches are helping consumers understand the importance of personal data protection, and to expect organisations to safeguard their data. Hence, a sound data privacy/protection management programme is a competitive advantage for businesses to assure consumers that they are trustworthy and accountable.