Navigating Cross-Border Data Transfers in the Asia-Pacific region (APAC): Analyzing Legal Developments from 2021 to 2023

FILTER
September 13, 2023
Josh Lee Kok Thong
Managing Director for APAC
About Josh
Blogs by Josh
Dominic Paulger
Deputy Director for Asia-Pacific and China
About Dominic
Blogs by Dominic

Today, the Future of Privacy Forum (FPF) published an Issue Brief comparatively analyzing cross-border data transfer provisions in new data protection laws in the Asia-Pacific. Titled Navigating Cross-Border Data Transfers in the Asia-Pacific region (APAC): Analyzing Legal Developments from 2021 to 2023, the Issue Brief outlines key developments in cross-border data transfers in the Asia-Pacific in the last few years, and explores the potential impact on businesses operating in the APAC region.

DOWNLOAD THE ISSUE BRIEF

Today, cross-border data transfers are pivotal in enabling the global digital economy and facilitating digital trade. These transfers allow businesses to provide services globally, while allowing individuals access to a wide range of digital services and platforms. Yet, cross-border data transfers also raise legitimate concerns regarding the protection of individuals’ privacy and security.

Amidst this tension, data protection laws attempt to strike a balance by requiring organizations to satisfy certain conditions to ensure that personal data is appropriately protected when it is transferred out of jurisdiction, absent special circumstances. Common conditions include:

  • Assessment of the level of personal data protection in the destination jurisdiction (also known as “adequacy”);
  • Adoption of safeguards, such as legally binding agreements or certifications or rules approved by a regulator;
  • Consent from data subjects; and
  • Necessity for various, specifically defined purposes.

The APAC region has seen a significant acceleration in data protection regulatory activity in recent years, including the enactment of new data protection laws. In particular, since 2021, China, Indonesia, Japan, South Korea, Thailand, and Vietnam have newly enacted or amended their data protection laws and regulations.

An analysis of the data protection laws and regulations in these six jurisdictions indicates that there is a degree of alignment between Indonesia, Japan, South Korea, and Thailand regarding legal bases for cross-border data transfers, but China and Vietnam appear to be outliers with their own unique requirements. Notably:

  • Indonesia, Japan, South Korea, and Thailand all recognize adequacy and consent as valid legal bases for cross-border data transfers. There is also some alignment on the recognition of certification schemes.
  • However, given that these laws were enacted or amended recently, there remains uncertainty on which jurisdictions might be recognized as mutually adequate, or which certification schemes will be ultimately recognized.
  • China and Vietnam differ substantially from the other jurisdictions studied. Both jurisdictions impose unique conditions for transferring personal data, such as requiring transferring organizations to file detailed assessments with the relevant regulator.
  • Vietnam also only recognizes a single legal basis for transferring personal data abroad, while China recognizes three.

These divergences to regulating cross-border data transfers likely reflect the different policy considerations in every jurisdiction, the tension between enabling cross-border data transfers to facilitate digital trade, and national considerations, such as protecting national security and sovereignty. These divergences could complicate efforts by organizations operating in multiple jurisdictions to align their regional compliance programs. Nonetheless, there are promising avenues for increasing interoperability in the region, such as standardized or model contractual clauses, the growing recognition of regional certification schemes such as the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems, and to a more limited extent, the possibility that some jurisdictions may obtain adequacy decisions from the European Union in future.

For deeper analysis of these points and of the cross-border data transfer provisions for each of the six jurisdictions covered, download the Issue Brief here.

For inquiries about this Issue Brief, please contact Josh Lee Kok Thong, Managing Director (APAC), at [email protected], or Dominic Paulger, Policy Manager (APAC), at [email protected].

FPF is grateful to the following contributors for their assistance in ensuring the accuracy of this report:

  • Kemeng Cai (In-house Privacy Counsel, China)
  • Iqsan Sirie (Partner, TMT, Assegaf Hamzah & Partners) and Daniar Supriyadi (Associate, Capital Markets, M&A, Assegaf Hamzah & Partners)
  • Takeshige Sugimoto (Managing Director and Partner, S&K Brussels LPC; Senior Fellow, Future of Privacy Forum)
  • Thitirat Thipsamritkul (Lecturer, Faculty of Law, Thammasat University)
  • Kwang Bae Park (Partner, Head of TMT, Lee & Ko)
  • Kat MH Hille (General Counsel, OceanCDR.Tech)

Please note that nothing in this Issue Brief should be construed as legal advice.
Further reading: In November 2022, FPF’s APAC office concluded a year-long project  on consent and alternative legal bases for processing data in APAC that culminated in a report comparing relevant requirements in 14 APAC jurisdictions.

Published: Last Updated: September 13, 2023
Tags:

Explore

Issues

authors

dates

Posts by Dominic and Josh

global,network,connection.,world,map,point,and,line,composition,concept
Regulatory Strategies of Data Protection Authorities in the Asia-Pacific Region: 2024, and Beyond
Read More
global,network,connection.,world,map,point,and,line,composition,concept
Regulatory Strategies of Data Protection Authorities in the Asia-Pacific Region: 2024, and Beyond
Read More
fpf apac gena 1080x1080
New Report Examines Generative AI Governance Frameworks Across the Asia-Pacific Region
Read More
View More