In March 2022, Baker McKenzie’s Data Privacy & Security Team across offices presented the Asia Pacific edition of Deciphering Data, the Firm’s webinar series that aims to help companies and organisations decode complex developments in data privacy and cybersecurity. Our diverse team of cross-border experts offered their expertise and insight in this webinar series to help you understand the legal lay of the land and prepare for the future of privacy in Asia Pacific and beyond.
- Trends towards more stringent privacy laws across Asia Pacific: In recent years, we have seen many jurisdictions in Asia Pacific go from having little in the way of data protection, to having strict data protection regimes. Some of these regimes have incorporated GDPR-esque provisions, such as Japan’s amendments to the Act on the Protection of Personal Information (APPI) which came into effect on 1 April 2022. Others, such as China’s Personal Information Protection Law (PIPL), adopt even stricter requirements.
- Recognition of growing risks associated with personal data and cybersecurity: As stricter, more detailed and sanctionable data protection laws develop in the region, there is also an increase in the risk associated with collecting, storing and processing data. International data transfers, in particular, have grown more complex, with more jurisdictions implementing international data transfer regimes and model contracts.
- Regulation of Artificial Intelligence (AI) is currently limited but there are frameworks in place: While the EU undoubtedly leads the way in terms of AI regulation with its AI Regulations expected later this year, jurisdictions across Asia Pacific are yet to implement legislation governing AI from a privacy perspective. However, the principles set out in the EU proposals are being reflected in the non-mandatory AI development frameworks and ethical principles in a number of Asia Pacific jurisdictions such as Australia, Singapore and Japan. These frameworks focus on ensuring transparency, replicability and fairness when implementing AI technology and promote a “Privacy by Design” approach to AI design.
- Ensure privacy compliance programs are built around knowledge, organisation, process & procedures and balance for them to be effective and sustainable. There are four key elements to consider to ensure that a company’s privacy compliance program is both effective and sustainable: knowledge, organisation, process & procedures and balance. Companies can only comply with what they know, and keeping a close watch on the data protection landscape is key to maintaining an effective privacy compliance program. Such programs also require an appropriate set of resources and structure that aligns with the business’ priorities and organisation. While the days of one-size-fits-all policies are over, maintaining a standard set of procedures across the board remains essential. With increased globalization, digitalization and growing complexity of products and services, compliance can be difficult when laws are not easily translated into points of action. Companies must be aware of the fast-evolving global and local data protection landscape and be able to respond as appropriate. While the GDPR remains a good starting point in designing privacy compliance programs, it is by no means the only barometer for compliance with local privacy regimes is becoming more nuanced, particularly around the Asia Pacific region. Commercial and operational considerations are also key factors to take into account in the design of a privacy compliance program, with the company’s objectives, stakeholders, structure and resources also playing a critical role in the program’s design.