Countries throughout the Asia-Pacific (APAC) region are rapidly bringing national data protection laws online, and a new report from the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI) promotes a shift from consent-based models to a focus on accountability for data processors in the interest of improving consistency between different jurisdictions that have substantially different legal systems.
Report finds, promotes trend toward accountability models in APAC
To say that the APAC region has a varied set of laws and regulatory frameworks is a bit of an understatement. As APAC nations rapidly bring data protection laws online, the matter of transferring and protecting personal data as it moves between these nations becomes a prominent issue.
The general standard in the region at present is “compliance through consent,” or centering the rules on what the data subject chooses to allow. Organizations sometimes collect consent beyond even what the local jurisdiction requires, as they feel it keeps their bases covered when data moves between regions. Generally, consent practices across all jurisdictions are keyed to the biggest and most influential nations in the region with the most robust data protection laws.
This model has run into trouble in recent years, however, as privacy advocates have taken up against it and have found an ear in a number of influential regional governments. Singapore retooled its privacy laws in 2020, Australia and New Zealand are in the midst of revamping their longstanding Privacy Acts, and a number of other APAC nations (such as India and South Korea) have had substantial high-level discussions about how adequate consent models can be going forward.
However, at the moment, all 14 APAC jurisdictions recognize consent as a legal basis for processing personal data and it is the one commonality across all of their legal frameworks. But it is only a legal basis for collection and use of data for a primary purpose in 10 of these jurisdictions. The Hong Kong SAR and three countries (Australia, New Zealand and Japan) allow consent as a legal basis only for specific enumerated activities, which further vary by country. And six jurisdictions provide only a limited definition of what “consent” actually entails as part of their data protection laws.
So though some manner of consent collection technically meets legal muster across the region, the international data transfer landscape remains something of a mess. Each country’s data protection laws have a different amount of consent conditions, and no single condition for consent is shared by all of them. Some require informed and voluntary consent, some do not. And only a minority require written or recorded consent or that it be “explicit” in nature.
Can an accountability focus make APAC data protection laws interoperable?
Though there is a great degree of difference in how data protection laws are structured, the report notes that all the APAC nations share a desire to harmonize their frameworks for the purpose of smooth international data transfer.
Could an accountability focus pave these roads? The report finds that consent must be retained as a legal basis for processing data across the region, but as one of several such bases. One of these universal alternatives that the report promotes is the “legitimate interest” basis, to at minimum cover situations where consent is not appropriate or workable.
The research finds that legal reform would be necessary in most of these jurisdictions, but most also already have usable legal structures in place and that much could be accomplished by issuing consistent and coordinated guidelines. Accountability would shift to the processing organization to a great degree by requiring them to demonstrate a legitimate interest provided for by these coordinated rules and guidelines. The report suggests the EU GDPR’s “balancing test” as a model, along with a clear list of “use cases” based on reasonable expectations of data subjects in which it is invoked as a legal basis.
One subject that is not yet broached in this accountability discussion is what penalties would look like, as these vary greatly by nation in APAC. Though the Chinese government retains almost unfettered access to personal data in the country, it also has some of the world’s harshest penalties for domestic businesses that violate privacy laws, hitting tech giants like Alibaba and Didi with fines equivalent to over $1 billion recently.
That also raises the issue of government access to personal data and how standards for unified data protection laws could possibly address this issue, given the great disparity in how these governments handle personal data. While the EU has been able to organize around a shared set of standards that APAC might use as a model, it also sets out clear terms for nations outside the bloc to be considered adequate data transfer partners. The lack of accountability for some governments that might help themselves to international personal data could very well be a sticking point for this concept.
