Dentons Privacy Community: Data transfers from Asia – key takeaways

Dentons Privacy Community met on September 15, 2021 to discuss how to approach international data transfers in Asia, in particular Singapore, Korea, Hong Kong and China. The session explored the evolving regulatory landscape, the key rules and transfer solutions, and recent legislative developments. Below are the key takeaways. 

Singapore

  • In addition to transfer solutions that will be familiar to privacy professionals in Europe, such as contracts and binding corporate rules, data exporters in Singapore can rely on certification mechanisms to facilitate cross-border transfers: the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors. These multilateral certification mechanisms ensure certified organizations have policies that are consistent with the APEC framework and allow data transfers within participating APEC countries.
  • Furthermore, the ASEAN Model Contractual Clauses (MCCs) were launched in January 2021. These template contractual clauses are a transfer solution that can be included in contracts for transfers within ASEAN member states, or they can be modified for transfers to businesses in other jurisdictions. They provide a legal basis for transfers, address key issues, and reduce the time and costs associated with negotiations. However, organizations relying on them still need to ensure they are complying with member state’s broader requirements. For example, Singapore Personal Data Protection Act (PDPA) recommends certain adjustments to the MCCs.

South Korea

  • Last year, three overlapping privacy-related laws were consolidated into the Revised Personal Information Protection Act. Provisions governing international transfers impose requirements on “information and communications services providers” where they intend to transfer data abroad.
  • Consent is generally required for data transfers from South Korea, although exceptions may apply where exporters provide for this in their privacy notice or notify data subjects directly. Exporters must also negotiate with recipients of personal data to ensure suitable safeguards are included in the agreement governing the transfer. 

Hong Kong

  • Organizations intending to transfer data outside of Hong Kong face a choice: operating strictly within the provisions of the principle-based Personal Data (Privacy) Ordinance (PDPO) as they currently are, or taking account of Section 33 of the PDPO, —which is not yet in force. Many large companies and financial institutions choose the latter.
  • Under Section 33 of the PDPO, organizations can rely on a number of transfer solutions. Transfers are permitted:
  • to countries on the “white list” (yet to be published),
    • countries which, in the exporter’s reasonable view, offer a substantially similar level of protection to Hong Kong’s,
    • with the data subjects’ consent,
    • in order to avoid or mitigate adverse action,
    • or subject to certain statutory exemptions.

In addition to the above, there is a final “catch-all” that permits transfers where the exporter has undertaken appropriate due diligence and taken reasonable precautions to ensure that the data transferred will not be processed in a way that breaches the PDPO.

China

  • In August 2021, China passed the Personal Information Protection Law (PIPL), which comes into effect on November 1, 2021. Currently, restrictions on cross-border transfers apply in respect of:
  • The type of exporter—with Critical Information Infrastructure Operators (CIIOs) subject to more stringent obligations than the broader category of Network Operators
    • The categories of personal information, with robust restrictions on exporting financial and medical data
    • International judicial assistance, with prohibitions on providing personal data stored within China to foreign law enforcement authorities
  • Once it comes into effect, the PIPL will introduce three pre-conditions for cross-border transfers: requirements for a comparable protection standard of foreign processing, separate consent, and for exporters to carry out impact assessments and maintain records. In addition, there will be three approaches to cross-border transfers: a security assessment coordinated by the Cyberspace Administration of China (CAC), which will be compulsory for CIIOs (although the precise scope is to be confirmed); a protection certification from an accredited institute; or a standard contract with the overseas recipient to be formulated by the CAC.