Event Report: FPF APAC and ABLI Report Launch Event and Panel on sidelines of 58th Asia Pacific Privacy Authorities (APPA) Forum in Singapore
Edited by Josh Lee Kok Thong and Isabella Perera
On November 30, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI) held a joint event to launch their new report, “Balancing Organizational Accountability and Privacy Self-Management in Asia-Pacific,” which provides a detailed comparison of the legal bases for processing personal data in 14 jurisdictions in the Asia-Pacific (APAC) region: Australia, China, India, Indonesia, Hong Kong SAR, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand, and Vietnam. The report builds upon a series of 14 individual reports released throughout 2022 that provide an overview of the legal bases for processing personal data in each of these jurisdictions.
This launch event took place on the sidelines of the 58th APPA Forum, hosted by Singapore’s Personal Data Protection Commission (PDPC) between November 29 and 30. Many APPA members – which include privacy and data protection authorities from 18 jurisdictions in APAC and the broader Pacific region – as well as representatives from industry, civil society, and the legal community joined FPF and ABLI for this event.
The event began with introductory remarks by Dr. Gabriela Zanfir-Fortuna (Vice President for Global Privacy, FPF), Josh Lee Kok Thong (Managing Director, FPF APAC), and Rama Tiwari (Chief Executive, Singapore Academy of Law), as well as a brief presentation by Dominic Paulger (Policy Manager, FPF APAC) that outlined the scope and main finding of the report.
These remarks were followed by a panel discussion that focused on key themes from the report and considered how to promote consistency and interoperability in legal bases for processing personal data around the APAC region while also ensuring the right balance between the interests of individuals, the organizations that process their personal data, and society at large.
The discussion was moderated by Yeong Zee Kin (Deputy Commissioner, PDPC), who was joined by four expert panelists: Dr. Clarisse Girot (Head of Data Governance and Privacy Unit, OECD); Leandro Angelo Y. Aguirre (Deputy Commissioner, National Privacy Commission, Philippines); Laura Gardner (Senior Counsel, Data Protection, Microsoft); and Rajesh Sreenivasan (Partner and Head of Technology, Media, and Telecommunications Practice, Rajah and Tann Singapore).
This post summarizes this exciting discussion and the key takeaways.
Role of consent
Moderator Yeong Zee Kin commenced the discussion by asking how regulators should think about the role of consent in the digital economy.
Dr. Clarisse Girot noted that due to advances in technology and changes in how organizations process personal data, consent has ceased to be meaningful. In her view, while consent plays an important role in data protection laws, it has been overused in the APAC region. In her view, this is because organizations that process personal data and practitioners have tended to regard consent as the easiest available option to comply with regional laws, especially if regulators have not seriously considered alternatives to consent. She suggested that overuse of consent could lead to “consent fatigue” for individuals.
Dr. Girot further noted that it would be appropriate to rely on consent in situations where individuals: (1) understand and can make a genuine decision about how their personal data will be used, (2) voluntarily provide their personal data to an organization, and (3) can withdraw their consent if necessary. However, she considered that such situations would likely be rare in practice. She, therefore, proposed that it may be necessary for regulators to ensure that their data protection laws contain legal bases besides consent to protect individuals from risks of harm.
In this regard, Dr. Girot highlighted the “legitimate interest” basis in European data protection law as a viable alternative basis to consent in situations where it is inappropriate for organizations to seek consent. She explained that because consent requirements are more strictly enforced in the European Union (EU), organizations in the EU tend to rely on legitimate interests (rather than consent) as a legal basis for processing data in most situations. However, she noted that there may be challenges to adopting such an approach in APAC as only a few jurisdictions in APAC currently recognize a legal basis for processing personal data premised on legitimate interests, and that other APAC jurisdictions are unlikely to enact reforms to recognize this basis in the near future.
Laura Gardner agreed that the processes involved in obtaining consent can overwhelm individuals and lead to “consent fatigue”. She added that even where individuals give valid consent, they may not make meaningful decisions as they may not always understand how their personal data will be used, especially if they rush to give consent in order to access a product or service as quickly as possible. In this regard, Ms. Gardner highlighted the importance of providing effective notice, using appropriate user interfaces, and providing the right level of information “just in time” to enable users to make meaningful and informed decisions about how their personal data is used.
Leandro Aguirre shared the National Privacy Commission (NPC)’s experience in implementing consent requirements in the Philippines’ data protection law, the Data Privacy Act of 2012 (DPA). He explained that although the DPA provides several alternative legal bases to consent for processing personal data (including legitimate interests), the NPC initially focused on consent because conceptually, it was easier to understand and appeared to give individuals control over how their personal data would be used.
Mr. Aguirre further clarified that consent and notice are distinct concepts under the DPA: if an organization relies on consent to process personal data under the DPA, the organization would be required to notify the data subject, obtain consent in a recorded manner, and ensure that the consent is freely given, informed, and specific, and that there is an indication of will on the part of the data subject. By contrast, if the organization relies on an alternative legal basis to consent in the DPA to process personal data, then the organization would only be required to notify the data subject.
However, he added that the NPC had realized that in practice, organizations were overusing consent and were passing the burden of validating and legitimizing the processing of personal data to the data subject, causing information overload and “consent fatigue.” Hence, the NPC has been working on a set of guidelines that aims to shift the idea of consent to just-in-time notices, which Mr. Aguirre hopes will encourage companies to rely on other legal bases, such as legitimate interests, to process personal data.
Promoting complementary alternatives to consent, like legitimate interests
Moving the discussion from consent to alternatives to consent, moderator Yeong Zee Kin shared a regulator’s perspective on alternatives to consent, focusing on the PDPC’s experiences of developing alternatives like legitimate interests in the 2020 amendments to Singapore’s Personal Data Protection Act 2012 (PDPA). He explained that when the PDPC first proposed including a legitimate interest basis in the PDPA, the PDPC was guided by the legislative purpose of the PDPA, which is to govern processing of personal data in a manner that recognizes both the right of individuals to protect their personal data and the need of organizations to process personal data for reasonable purposes.
Laura Gardner observed that a benefit of the legitimate interest basis, compared with consent, is that it builds in accountability in organizations. This is because the basis requires organizations to assess the benefits and risks of processing personal data to the individual and, if necessary, take steps to mitigate risks. Nevertheless, she also noted that a difficulty with this basis is that organizations may not feel as comfortable relying on it because they may be concerned that regulators may not agree with the organization’s assessment of the balance of interests. She stressed that regulators could help organizations gain greater familiarity with the legitimate interest basis by issuing clear guidance with specific examples of use cases on where the basis could be applied.
Leandro Aguirre emphasized that when relying on legitimate interests, companies are in a better position than the data subject to assess the impact of processing on the data subject as data subjects may not be able to understand everything provided to them. As for how the NPC regards the legitimate interest basis, Mr. Aguirre explained that three things must be considered: (1) organizations have to establish the existence of a legitimate interest; (2) the processing of personal data must be necessary for this legitimate interest; and (3) the legitimate interest must not override the fundamental human rights and freedoms of data subjects. He added that in the event of a violation, the NPC would only recommend prosecution if there were gross negligence on the part of the organization. This means that as long as an organization has accountability measures in place, it would not necessarily face an enforcement action from the NPC simply because the regulator does not agree with the organization’s legitimate interest assessment. He further added that dialogue between regulators and organizations is essential to increase clarity around the use of the legitimate interest and to ensure that organizations are comfortable relying on this legal basis when processing personal data.
Rajesh Sreenivasan shared the perspective of legal practitioners who advise organizations that process personal data. He explained that despite the existence of accountability-focused alternatives to consent like legitimate interests and business improvement exception in Singapore’s PDPA and other similar laws, many lawyers today would still advise their clients to rely on consent as practitioners may believe that it is easier to demonstrate and operationalize compliance with consent requirements (e.g., by producing a completed consent form). He added that practitioners and clients may also believe that accountability approaches to processing personal data would impose greater burdens on organizations.
Nonetheless, Mr. Sreenivasan observed that there are objective measures that can be used to demonstrate accountability, such as data protection impact assessments. He also noted that accountability-focused approaches like the legitimate interest basis may prove useful in situations where it is difficult to obtain meaningful consent, such as data analytics or artificial intelligence applications where data processing is so complex and dynamic that individuals may not be well-placed to understand how their personal data will be processed.
Mr. Sreenivasan also drew attention to Singapore’s decision in the 2020 amendments to the PDPA to create a legal basis for processing personal data, known as the “business improvement exception,” to address situations where the balance of interests is more strongly weighted in favor of businesses in developing products and services.
On a final note, Mr. Sreenivasan also stressed that regulators should not compel organizations to use consent, legitimate interests, or other alternative legal bases in specific situations. Instead, he suggested that regulators should permit organizations to make choices based on their own needs.
Consistency and interoperability of regional laws
Yeong Zee Kin explained that in amending Singapore’s PDPA, the PDPC also sought to facilitate cross-border compliance by ensuring that the PDPA had similar structures to those in the EU’s General Data Protection Regulation (GDPR) and other laws in APAC that had followed the GDPR’s example, such as a legitimate interest basis for processing personal data.
Clarisse Girot stressed that consent is still the main connecting point between jurisdictions in the APAC region. She suggested that even if individual jurisdictions promoted alternatives to consent, organizations that process personal data in multiple jurisdictions would likely only start incorporating those alternatives into their compliance frameworks if there was a “critical mass” of jurisdictions with similar alternatives. Dr. Girot thus encouraged regional regulators to come together to look for similar structures within their respective laws, and issue consistent guidance on alternatives to consent.