FPF and Singapore PDPC Event: “Data Sovereignty, Data Transfers and Data Protection – Impact on AI and Immersive Tech”

On July 21, the Future of Privacy Forum (FPF) and Singapore’s Personal Data Protection Commission (PDPC) co-hosted a workshop as part of Singapore’s Personal Data Protection Week, titled “Data Sovereignty, Data Transfers and Data Protection – Impact on AI and Immersive Tech” at Marina Bay Sands Expo and Convention Center in Singapore.

The event focused on international data transfers and their importance to new and emerging technologies.

FPF moderated two panel discussions, bringing together experts and thought leaders from academia, government, industry, and law:

This post summarizes the exciting discussions from these two panels and presents the key takeaways.

Panel 1: “Data Localization vs International Data Transfers”

4ed22f5a 3825 444d ab3b 81b519a30a0f

The first panel stressed the need to distinguish data localization measures from transfer obligations, as both have different goals and use different mechanisms to accomplish those aims. Yeong Zee Kin explained that data localization and data transfer obligations are two separate but overlapping issues. From a regulatory perspective, data localization measures either prohibit data flows or enforce local storage and processing, while data transfer obligations allow data to flow in a protected and safe manner. Data localization measures may appear in privacy laws as well as sectoral regulations, and target different types of data (including non-personal data in some circumstances). Data transfer mechanisms also come in many forms such as certification, standard contractual clauses (SCCs), and binding corporate rules (BCRs), each with their own method of ensuring data protection. The range of transfer mechanisms provide solutions that can be tailored for different use cases and scale of data transfers.

Yeong stressed that global stakeholders need to reset the conversation around data flows in a way that respects different cultures and promotes global consensus around key issues like supervisory and law enforcement access to data. This resonated with Tobias Judin who said that the EU can continue to play a strong role to promote consensus around data transfers. He stressed that while countries pass their own rules, there are still options to facilitate data flows and that governments can accomplish data protection goals without passing localization requirements. Judin also highlighted how the EU has created incentives for other countries to adopt privacy laws that make sense in their own legal and cultural contexts. While the standard for adequacy is strict, other countries have been able to pass laws that meet the requirements.

Landscape of Data Localization

Takeshige Sugimoto presented an overview of the scattered landscape of data localization. He stressed that tensions in cross-border data flows have become more global and now involve numerous bilateral, country-to-country cases. For instance, beyond the transatlantic data transfers debate, tensions are emerging in data flows in the context of EU-Russia and EU-China relations. Sugimoto indicated that if European or American regulators restrict data transfers to China, the latter could retaliate in kind. This is becoming a real possibility, as regulators in both the EU and the U.S. have shown willingness to take enforcement actions against Chinese companies and have even begun to promote their own localization requirements. 

Sugimoto highlighted how some international developments may help mitigate the risk of fragmentation, including the Global Cross-Border Privacy Rule (CBPR) certification system, but that such developments will not completely alleviate tensions in global data transfer rules. He stressed that on the one hand, if the U.K. loses adequacy from the EU and in turn participates in the CBPR system, the EU may be left behind. On the other hand, even if alternative frameworks become a global standard and mitigate risks of fragmentation, China’s data localization regime will continue to exist and exert influence abroad. 

Despite this, Sugimoto indicated that there are positive developments. Beyond the U.S., the EU, and China, other countries are playing a strong role in shaping conversations around data flows. Both Japan and South Korea have demonstrated that it is possible to promote an international standard for data protection while maintaining unique legal systems and cultures.

The panel also explored the perspective of the private sector with respect to data localization and the challenges companies face when responding to such measures.

Cybersecurity and Localization

Data localization also raises security concerns, as organizations and governments rely on information sharing to monitor and respond to security incidents and threat vulnerabilities. As David Hoffman indicated, governments are adopting data localization measures not only for privacy reasons but also for other legitimate government purposes such as promoting law enforcement, ensuring national security, and having enough data available to assist with tax collection.

Hoffman stressed that there is a need for the data protection community to address each of these motivations separately while recognizing and reiterating that privacy and security mutually reinforce each other. Indeed, as Hoffman explained, safeguarding security was one of the primary goals of the 1980 Privacy Guidelines from the Organization for Economic Cooperation and Development (OECD). Security threats can undermine privacy because they increase the risk that personal information will be exposed. 

At the same time, cross-border data flows are a core component of how companies and governments address and mitigate such threats through the sharing of threat and attack indicators that often include IP addresses that can fall under the definitions of “personal data”. While collecting and transferring personal data can put privacy at risk, if that use of data substantially increases cybersecurity, it may have a net positive privacy effect. That net positive effect may then be increased with effective use limitations and accountability measures, instead of reliance on collection limitations and/or data localization. Hoffman affirmed that one step towards realizing this involves understanding the rationales and motivations behind data localization and determining other methods to satisfy those government interests while still allowing for the transfer of data that is necessary to promote effective cybersecurity.

Panel 2: “Old Challenges of New Technologies – AI and Immersive Tech”

dsc 4090

The second panel focused on the risks and opportunities presented by new and emerging technologies, like AI, AR/VR, and the “metaverse,” which often involve the collection and processing of personal data. Panelists also considered how these technologies could be regulated in the future and how measures to regulate international data transfers may impact the development and deployment of these technologies.

Artificial Intelligence (AI)

Marcus Bartley-Johns explained that AI is not a future possibility but rather a present reality as people regularly interact with AI systems in their professional and personal lives through email, social media, spell checkers, and security and threat protection, among others. Raina Yeung explained that AI is already an essential component in Meta’s system and is used for a wide range of purposes, from polling, to serving advertisements, to taking down misleading and harmful content. She highlighted that AI is an area of strategic importance both for governments and industry as it drives economic development and helps to find solutions to global challenges. Eunice Lim reiterated that AI impacts, and will continue to impact, the way that we live and work. However, she also noted that AI is not meant to replace human workers, but rather to augment us and make life easier for us by taking away repetitive tasks.

Jules Polonestky noted that AI may also present new challenges in terms of deception and discrimination. Polonetsky explained that both the societal data used to train AIs, and how AIs are deployed in practice, can reflect social inequalities and prejudices. Yeung agreed and added that although AI may bring benefits, it also raises the risk of potential harms and therefore must be developed and deployed responsibly. Bartley-Johns stressed that it is important to look at the context of AI deployments as not all applications impact privacy or rights. To illustrate this, Bartley-Johns drew a comparison between AI-based facial recognition systems, which process personal data and could impact data subjects’ privacy and legal rights if used, for example, to deny data subjects access to a service or cause them to be suspected of a crime, and AI-based malware detection systems, which may not process personal data but instead focus only on telemetry from attempts to access devices and systems.  

Bartley-Johns explained that a common challenge is viewing responsible AI as a purely technical issue. In his view, implementing responsible AI is a socio-technical challenge: how the technology functions is only the beginning; broader concerns are how humans will interact with, have oversight over, and (where necessary) exercise decision-making power over the AI. Lim explained that the main risk from irresponsible use of AI is loss of trust and called on the public and private sectors to co-create standards and principles for AI. In this respect, Lim highlighted that Workday is working with developers to test and implement procedures for identifying and mitigating instances of AI bias. Yeung shared that Meta’s dedicated and cross-disciplinary Responsible AI (RAI) team builds and tests approaches to help ensure that their machine learning (ML) systems are designed and used responsibly.

Panelists all stressed that regulation has an important role to play in building citizens’ confidence in the technology and setting a baseline for companies’ responsibilities. Bartley-Johns highlighted that the difficulty is in getting the regulation right – ensuring that the technology is available to companies of all sizes and that data is not locked up with a minority of companies. Lim stressed that regulation should be risk-based, identifying the AI use cases which present the highest risks and directing resources to mitigate unintended consequences, and should recognize the different actors in the AI ecosystem, including those who develop AI, and those who deploy AI. Though there is ongoing debate about who is best placed to address these challenges, Polonetsky suggested that privacy professionals could play a role by, for example, undertaking data protection impact assessments, raising issues internally when they arise, and engaging proactively with affected communities to understand their positions and give them a voice. At the same time, Polonetsky also considered that expectations and norms around AI will change over time.

Simon Chesterman explained that conversations around AI regulation tend to assume that new laws would have to be drafted to regulate AI while overlooking the significant challenge that implementing these laws would present in practice. In Chesterman’s view, the central question in regulating AI is not whether to pass new laws but rather, how to apply existing laws to new use cases involving AI. He explained that on a fundamental level, “AI systems” cannot be treated as a discrete regulatory category as they encompass many different technologies and methods. Additionally, Chesterman said it would be a misstep for regulators to grant AI systems legal personality as this may make it easier for humans who misuse AI to avoid liability for their actions. He emphasized that there can always be a human-in-the-loop and that some decisions, such as when to fire a weapon or find a person liable in the judicial system, rightly belong with human decision-makers who have been appointed within a politically accountable framework.

Immersive Technologies and the Metaverse

Yeung explained that the metaverse is the next logical evolution of the internet and social networking platforms, which were initially text-based, but evolved to include photo sharing as mobile telephones became more common, and later, video sharing, as internet speeds increased around the globe. In Yeung’s view, technology – especially videoconferencing during the COVID-19 pandemic – has already done much to bring people together, but the metaverse will revolutionize current 2D online social interaction and enable a more immersive and 3D experience. Yeung also shared the value the metaverse will bring beyond gaming and entertainment, including the significant transformation to education, workforce training, and healthcare, as well as creating economic opportunities for digital creators, small businesses, and brands. Bartley-Johns explained how immersive technologies will bridge the gap between the physical and digital worlds in a range of different contexts, such as creating an “industrial metaverse” combining Internet-of-Things (IoT) devices with “digital twins” and using AR to provide training and technical support remotely.

Chesterman mentioned that improvements in technology over the last decade have raised two major regulatory issues. Firstly, consent no longer makes sense in the context of ubiquitous, large-scale data collection coupled with high-speed computing. Chesterman highlighted Singapore as an example of a jurisdiction that has started to move away from consent towards an alternative, accountability-based model. Secondly, privacy expectations around use of immersive technologies like AR and VR may be different from those that apply to conventional photography in public spaces. Chesterman also added that the metaverse may give rise to disputes over ownership of a person’s visual identity, which may become valuable and require additional protection. Bartley-Johns highlighted additional potential privacy concerns for inferences drawn from data collected in the metaverse, especially in the employment context. He raised the example of if the technology can be used to track employees’ eye movements while their supervisor is talking, and then, that data is used in the employees’ performance assessments. Yeung explained that Meta is focused on a few areas where there are hard questions that do not have easy answers, such as economic opportunity, privacy, safety and integrity, and equity and inclusion. It is critical to get these areas right to realize the potential benefits of the metaverse; as such Meta is investing in research in these areas through partnerships with researchers and academic institutions.

Cross-Border Data Flows

Polonetsky called for deeper dialog on data localization between national leaders, policymakers, and developers of products and services using emerging technologies, highlighting the challenges presented by the spectrum of interests across different stakeholders. Polonetsky stressed that the task for privacy professionals is to present effective and viable alternatives to data localization that enable government and industry to achieve their respective aims. Bartley-Johns concurred with Polonetsky on the need to reframe the conversation around international data flows. Bartley-Johns highlighted that the conversation in APAC has increasingly focused on what legal and technical means exist to assure regulators and data subjects that data will be protected to the same standard as if it had remained in its source jurisdiction when transferred.

Editor: Isabella Perera

New Report on Limits of “Consent” in Thailand’s Data Protection Law

Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the tenth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in Thailand, including:

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Thailand’s Data Protection Landscape

Thailand’s Personal Data Protection Act (PDPA) provides the main requirements under Thai law relating to the collection, use, and disclosure of personal data and establishes Thailand’s Personal Data Protection Commission (PDPC), a government agency tasked with supporting the development of personal data protection in Thailand. 

Though the PDPA was passed in May 2019, it did not take effect immediately, and there have been a number of major developments in relation to the PDPA throughout 2022. In January 2022, the Thai government officially announced the appointment of the PDPC’s chairperson and members, and in February 2022, the PDPC held its first meeting. In June 2022, the PDPA entered into effect, and PDPC issued a number of subordinate regulations to the PDPA as well as more general guidelines on the rights and requirements under the PDPA for citizens and small business.

This first round of subordinate regulations did not touch on the PDPC’s consent requirements and instead, focused on rules, procedures and exemptions for recording personal data processing, security measures, and administrative penalties. However, it is expected that the PDPC will issue a second round of subordinate regulations specifically regarding consent and notification as PDPC’s parent ministry, the Ministry of Digital Economy and Society (MDES) has released a number of draft guidelines on consent and notification for public consultation between 2021 and 2022. 

In addition to the PDPA, several other laws and regulations provide for protection of personal data in specific contexts, including the public sector, healthcare, and credit. Under the PDPA, any other law which provides for the protection of personal data in specific scenarios or specific areas takes precedence over the PDPA, except in relation to the PDPA’s requirements for collection, use, and disclosure of personal data.

Consent in the PDPA

The PDPA adopts a similar model to the EU GDPR in which consent is one of several, equal bases for processing personal data under the PDPA. 

Generally, under the PDPA, a data controller may not collect, use, or disclose personal data unless the data controller has obtained consent from the data subject or where an alternative legal basis applies, i.e., where the processing of personal data is: 

If the personal data in question falls within any of the categories of sensitive personal data under the PDPA, then the data controller must either obtain “explicit consent” from the data subject or satisfy one of a number of narrower alternative legal bases under the PDPA in which the processing of sensitive personal data is strictly necessary (such as in emergencies, for medical care or legal claims, or where there is another substantial public interest) or where the risk to the data subject is circumscribed (for example, where the data is only processed within a single, non-commercial organization for legitimate activities and subject to appropriate safeguards).

Under the PDPA, consent must be obtained prior to or at the time of collection, use, or disclosure of the personal data in question. By default, a request for consent must be made explicitly in writing in a format that separates the request for consent from other matters and that is easy for the data subject to understand. The request must also be accompanied by information on the purpose of the collection, use, or disclosure of the personal data.

Data subjects must also be given the option to withdraw consent and an explanation of the effect of doing so. The procedure for withdrawing must not be more difficult than the procedure by which the data controller initially obtained consent.

Read the Full Report

Read the previous reports in the series here.

Blog Cover Image by Anil Nallamotu on Unsplash

FPF at CPDP LatAm 2022: Artificial Intelligence and Data Protection in Latin America

This summer the first-ever in-person Computers, Privacy and Data Protection Conference – Latin America (CPDP LatAm) took place in Rio de Janeiro on July 12 and 13. The Future of Privacy Forum (FPF) was present at the event, titled Artificial Intelligence and Data Protection in Latin America, participating in two panels and submitting a paper for publication. In this blog post, we provide an overview of both the panels, as well as a brief summary of the accepted research paper.

CPDP LatAm is a relatively new event on the international privacy conference circuit, designed to provide a Latin American platform to discuss privacy, data protection, and technology. All the below sessions were recorded by the CPDP organizers, and we will include a link to the recordings as soon as they are made available. Currently, only the opening and closing plenary sessions are available online.

image4
Photo: CPDP LatAm Closing Plenary Session on 7/13/2022
image1
Photo: Panel on Research Data, AI and Data Protection Law: What Research ‘Exceptions’ Mean for the Development and Use of AI Technologies, 7/12/2022
copy of copy of israel cyberweek recap
Photo: Panel on Algorithmic Transparency, Accountability, and Trade Secrets, 07/13/2022

Research Data, AI and Data Protection Law: What Research ‘Exceptions’ Mean for the Development and Use of AI Technologies:

On the first day of CPDP LatAm, FPF got off to a roaring start – hosting a deep-dive panel on how general data protection regulations treat processing personal data for research purposes in the context of AI technologies. Moderated by FPF Policy Counsel Katerina Demetzou, the panel featured contributions from:

The panel explored how “general scope” data protection regimes often treat processing personal data for research purposes differently, sometimes exempting personal data processed for qualifying purposes from other provisions, such as individuals’ rights to request access to or the deletion of such data. The panel discussed how in the AI ​​context, where high quality datasets containing personal data are critical to train and develop core algorithms and to continuously improve them, these exceptions are particularly crucial to the development of new technologies – but may also represent a significant increase in risk to the individuals concerned. 

Panelists identified a number of areas where regulators in Latin America are currently working to issue more specific guidance on the subject of research exceptions – particularly in defining the scope of what kinds of processing activity “count” as acceptable “research” – and whether “research exceptions” should include research activities carried out by the private sector. Such an example is the Brazilian regulator, the ANPD, who recently issued a technical study titled “The LGPD and personal data processing for academic purposes and studies by research organisations” (the original title is “LGPD e o tratamento de dados pessoais para fins acadêmicos e para a realização de estudos por órgão de pesquisa”, original available in Portuguese). The panel also discussed the role of the Ibero-American Network of Data Protection (RIPD) in the matter, as well as how the emerging regulatory regimes in Latin America dealing with the use of personal information for research purposes compare to, and differ from, the European Union’s approach to this issue under the General Data Protection Regulation.

Algorithmic Transparency, Accountability, and Trade Secrets

On the second day of CPDP LatAm, FPF Policy Counsel Katerina Demetzou also spoke on a panel regarding Algorithmic Transparency, Accountability, and Trade Secret Preservation (original title ‘Transparência algorítmica, accountability e preservação do segredo de negócio’). This panel, moderated by Danilo Doneda, CEDIS-IDP, featured contributions from:

The panel focused on how to balance transparency obligations core to effective data protection laws with the need to maintain trade secrecy central to much commercial development of artificial intelligence, and how to structure data protection laws such that trade secrecy claims are not able to prevent individuals from effectively exercising their privacy rights. Panelists discussed issues such as the necessity of disclosing application or software source code when providing “explainability” of decision-making to data subjects, and debated the level of detail necessary in disclosures required under transparency obligations. Ms. Demetzou focused on how this tension is treated under the EU’s General Data Protection Regulation, and discussed several examples of EU Member State enforcement actions that balanced the substantive rights granted to individuals by the GDPR with the confidentiality rights created by other national laws regarding trade secrets.

FPF Paper Accepted for Publication

In addition to the above panels, FPF also submitted an academic paper to CPDP LatAm 2022. Titled “Thin Red Red Line: Refocusing Data Protection Law on ADM, A Global Perspective with Lessons from Case-Law” and co-authored by FPF Vice President Gabriela Zanfir-Fortuna, Policy Counsel Katerina Demetzou, and Policy Counsel Sebastião Barros Vale, the paper focuses on how existing data protection laws in the EU and a selection of six global jurisdictions (Brazil, Mexico, Argentina, Colombia, China and South Africa) are currently being applied in the context of automated decision-making (ADM). The paper successfully completed the conference double blind peer review process and will be published in a CPDP LatAm special issue of the Computer Law & Security Review, edited by FGV Professors Luca Belli and Nicolo Zingales. 

New Report on Limits of “Consent” in Vietnam’s Data Protection Law

Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the ninth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in Vietnam, including:

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Vietnam’s Evolving Data Protection Landscape

Vietnam currently does not have a comprehensive law on protection of personal data, and instead, Vietnam’s personal data framework is made up of a patchwork of different legal instruments. 

At the fundamental level, Vietnam’s Constitution provides for an inviolable right to privacy and legal protection of information regarding personal privacy and personal and familial secrecy. 

The Civil Code gives expression to these rights in a limited manner by, among others, requiring an individual’s consent for collection, use, retention, or publication of information about that individual’s private life.

These are complemented by a number of sector specific laws and regulations which provide for protection of personal data in a number of specific contexts, including cyberspace, healthcare, commerce, banking, and finance.

However, it is expected that Vietnam will enact a comprehensive data protection law in the coming months. In February 2021, Vietnam’s Ministry of Public Security (MPS) initiated consultation on a draft legislation, releasing a draft Decree on Personal Data Protection (Draft PDP Decree) for public comment. 

This Draft PDP Decree sought to introduce several major additions to Vietnam’s personal data protection framework, including:

It is understood that in the year and a half since this public consultation, MPS has been further developing a revised draft of the legislation internally. However, to date, this revised draft has not been released publicly. While the report and this blog post refer to the February 2021 version of the Draft PDP, note that this draft legislation has not yet been enacted, and its provisions remain subject to change.

Consent in Vietnam’s Existing Data Protection Framework

Under Vietnam’s existing data protection framework, consent is generally the default basis for processing individuals’ personal information or information about an individual’s private life, unless an applicable legal instrument provides an exception to consent. 

Vietnamese law also imposes confidentiality requirements on certain providers of regulated services – such as medical professionals, credit institutions, and banks – and generally requires these service providers to obtain consent from users of their services before disclosing users’ personal information to third parties, subject to narrow exceptions, such as requests from state authorities or necessity for medical care.

Generally, under Vietnamese law, consent for processing of personal information must be freely given. Prevailing laws generally require entities that handle personal data to inform the data subject of the scope and purpose for collection and use of the data subject’s personal information before obtaining the data subject’s consent. Vietnamese law does not generally require consent for processing of personal information to be given in any specific form. However, more stringent requirements apply in the contexts of e-commerce and advertising/marketing communications. 

Consent in the Draft PDP Decree (Not Yet Enacted)

Consent plays a prominent role in the Draft PDP Decree: it is one of several legal bases for processing personal data (including sensitive personal data) and is one of several requirements for transferring personal data out of Vietnam.

Under the Draft PDP Decree, consent must be affirmative, voluntary, informed, and recorded in a written form. 

If an entity seeks to rely on consent to process a data subject’s personal data, the entity must inform the data subject of the type of data to be processed, the purpose for processing, any third parties with whom the data may be shared and the conditions sharing the data, the data subject’s legal rights regarding processing of the personal data, and whether the personal data to be processed is sensitive personal data. 

Interestingly, the Draft PDP Decree recognizes a form of deemed consent in the narrow context of audio or video recording by competent state agencies. By default, the collecting agency must notify data subjects of the recording in a way that data subjects understand unless recording is for the purposes of national defense, security, social order and safety, social ethics, or the health of the community.

The Draft PDP Decree also permit processing of personal data without consent where the processing is:

Additionally, the Draft PDP Decree permits disclosure of personal data without consent where the disclosure is in the media:

Read the Full Report

Read the previous reports in the series here.

New Report on Limits of “Consent” in Malaysia’s Data Protection Law

Introduction

Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the eighth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in Malaysia, including:

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Malaysia’s Data Protection Landscape

The Personal Data Protection Act 2010 (PDPA) is the main data protection legislation in Malaysia and gives effect to the 7 Data Protection Principles (PDP Principles):

The PDPA also establishes the Personal Data Protection Commissioner (PDP Commissioner) as the public body responsible for enforcing and administering the PDPA.

The PDPA is complemented by other sectoral laws, regulations, and guidelines. In addition to various sector-specific laws which limit the disclosure of personal data held by certain regulated entities (e.g., providers of financial services, medical practitioners), the PDP Commissioner has approved and registered seven Personal Data Codes of Practice, which provide more detailed requirements for entities in certain sectors to comply with the PDPA. These sectors include:

Role and Status of Consent as a Basis for Processing Personal Data in Malaysia

Consent plays a prominent role in the PDPA, as it is the default basis for collecting, using, and disclosing personal data under the PDPA and is also one of several legal bases for transferring personal data out of Malaysia.

The General Principle in Section 6 of the PDPA establishes the default rule that data controllers may only process personal data if they obtain consent from the data subject. However, this default rule is subject to other data protection principles (including purpose limitation) as well as a number of exceptions that apply where processing of personal data is necessary:

These alternatives to consent are similar to those provided under the EU Data Protection Directive 95/46 and its successor, the GDPR.

However, if the personal data in question falls within any of the categories of “sensitive personal data” specified in the PDPA, then the data controller would have to obtain “explicit consent” from the data subject unless an exception applies. These exceptions address a wide range of purposes for which processing of sensitive personal data may be necessary, including:

These categories are not fixed, as the PDPA empowers the Minister of Communications and Multimedia to specify other purposes for which processing of sensitive data is permitted on the basis of necessity.

A challenge when interpreting the PDPA is that the PDPA does not define consent, and the PDPA and its sub-regulations also only provide limited guidance on the forms that valid consent may take. The PDPA’s sub-regulations specify that consent for the processing of personal data may take any form, provided that the consent is capable of being recorded and maintained by the data controller. Consent forms must also be structured to distinguish consent for a specific matter from any other matters included in the form.

While Malaysia’s data protection law would likely recognize express consent (provided that the foregoing requirements are met), it remains unclear whether Malaysia’s data protection law recognizes implied or deemed forms of consent and, if so, whether these forms of consent would be recognized in all instances.  

In addition to the obligation to obtain consent under the General Principle in Section 6 of the PDPA, the Notice and Choice principle in Section 7 of the PDPA specifies the minimum information that a data controller must include in its written privacy policy.

Read the Full Report

Read the previous reports in the series here.

ADPPA Would Surpass California’s Laws, but Improvements Remain

The American Data Privacy and Protection Act (ADPPA) was passed through the House Energy and Commerce Committee on July 20, a proposal which experts and advocates agree is long overdue. However, objections from California leaders may threaten the bill’s passage.

Stacey Gray, the FPF’s Director of Legislative Research & Analysis, argues otherwise in a new editorial for Lawfare. Gray explains how the ADPPA compares to – and surpasses – state privacy protections established by California’s Privacy Protection Agency (CPPA) and Privacy Rights Act (CPRA).

In substance and privacy protections, the current version of the ADDPA addresses and is “significantly stronger” than both the CPPA and CPRA “in nearly every way,” Gray argues. The ADPPA incorporates “substantive rights,” establishes groundbreaking new national civil rights protections, and preserves current state administrative enforcement powers. 

“Any successful federal privacy law in the United States must be at least as protective as California’s current data protection framework for reasons that are both political and substantive,” said Stacey. “Congress can continue to strengthen and clarify the law to ensure that it exceeds the CPRA’s substantive provisions; preserves the CPPA’s existing enforcement powers; and establishes a single, strong comprehensive national privacy standard.”

To learn more, read Stacey’s op-ed here.

ADPPA Helps Protect Civil Rights for All Americans

Today, The Hill published an op-ed from the Future of Privacy Forum’s (FPF) Senior Policy Counsel for Data, Decision Making, and Artificial Intelligence Bertram Lee. The piece highlighted that privacy, particularly in the context of digital services, electronic data flows, and personal data, is a civil right.

Yesterday, the House Energy and Commerce Committee voted to advance the American Data Privacy and Protection Act (ADPPA). If passed, the bill would enact the first national standard for privacy. In its current form, ADPPA would modernize civil rights for the digital age and update existing civil rights protections.

“What is at stake is bigger than the interests of individual states: it affects the lives of a majority of Americans,” Lee said in the piece. “State laws, including the California Privacy Rights Act and laws passed in Colorado, Utah, Connecticut, and Virginia, typically codify existing civil rights laws, but to date have not extended civil rights protections. The U.S. needs a law that will implement clear and meaningful civil rights safeguards.”

Read the full piece here

FPF Announces new APAC Director, Hosts Panel for Singapore Personal Data Protection Week 2022

As part of this year’s Personal Data Protection Week in Singapore, the Future of Privacy Forum (FPF) — a global non-profit focused on data privacy, data protection and emerging technology policy — will host “Data Sovereignty, Data Transfers and Data Protection – Impact on AI and Immersive Tech” on July 21, 2022, from 9:30 a.m. to 12:30 p.m. GMT+8.

The panel will feature FPF’s recently appointed Managing Director for the Asia-Pacific (APAC) region, Josh Lee Kok Thong, who will discuss principles, practices, and policies to help businesses elevate their data governance practices and build trust in the use of advanced technologies such as artificial intelligence.

Lee joins FPF after working at the Personal Data Protection Commission Singapore (PDPC) for three years, where he helped draft Singapore’s Model AI Governance Framework and worked on the country’s strategy in AI governance. He is an Advocate and Solicitor of the Singapore Bar, a former international arbitration practitioner, and a former Assistant Director for Legal Policy in Singapore’s Ministry of Law. 

Additionally, Lee co-founded LawTech.Asia, Singapore’s foremost publication on legal technology, as well as the Asia-Pacific Legal Innovation and Technology Association (ALITA). Lee is also a Research Affiliate in the Singapore Management University’s Centre for AI and Data Governance and a Voting Member of the IEEE Standards Association. For his work, he was identified as one of Asia’s Top 30 Persons to Watch in the business of law (Asia Law Portal, 2019). 

As Managing Director for APAC, he and his team will drive FPF’s agenda in the region, particularly focusing on AI governance, cross-border data flows, and emerging realms like immersive technologies. 

“We’re excited to welcome an experienced data protection expert and innovative thinker to our Asia Pacific team,” said Jules Polonetsky, FPF’s CEO. “FPF Asia-Pacific aims to serve in the wider Asia region as a cooperative and trusted platform of reference to advance principled privacy and data protection practices and policies supporting emerging technologies. Josh Lee and the FPF Singapore team will work closely with local stakeholders to develop these conversations within the Asia-Pacific but also will operate as a trusted communication hub between APAC and the other regions of the world.

At the upcoming panel discussion during Personal Data Protection Week in Singapore, Lee, and others, will explore the foundational differences between data localization requirements, international data transfer frameworks in data protection law, and data sovereignty. Attendees will learn about the latest APAC and global regulatory and policy developments and how businesses can better safeguard data against potential risks.

“I am excited to join the renowned team at the Future of Privacy Forum’s APAC office in Singapore and represent them at this year’s Personal Data Protection Week,” said Lee. “In my new role, I hope to work with like-minded partners to continue fostering data best practices in the APAC region as we prepare for the new opportunities and challenges in technology.”

FPF launched the Asia-Pacific office based in Singapore in August 2021. The office expands FPF’s international reach in Asia and complements FPF’s offices in the U.S., Europe, and Israel, as well as partnerships around the globe.

To see all the events FPF will support during PDPC’s Personal Data Protection Week, visit FPF.org.  Follow the FPF APAC team’s activities here and sign up for the FPF APAC email list to stay in touch.

FPF Files Comments on White House Office of Science and Technology Policy Actions to Advance Privacy-Enhancing Technologies  

FPF Files Comments on White House Office of Science and Technology Policy Actions to Advance Privacy-Enhancing Technologies  

On July 8, 2022, FPF filed comments with the White House Office of Science and Technology Policy (OSTP) regarding specific actions that would advance the adoption of privacy-enhancing technologies (PETs).

As emerging technologies continue to offer increased speed, efficiency, productivity, commercial output, and connectivity, they rely more on the extensive collection and processing of personal data. This processing can result in data protection and security challenges. The Future of Privacy Forum (FPF) has long supported the development of PETs that can help mitigate data protection risks posed by emerging technologies.

In response to the Office’s invitation for comments and concerning the particular categories of information requested, FPF provided the following recommendations to the OSTP for the development of a national strategy on privacy-enhancing technologies:

1. Support the growing discipline of privacy engineering aimed at bridging the gap between technologies and policies through direct funding of academic research, building expertise within government, encouraging business-academia dialogues, and directing agencies to require federal contractors to incorporate PETs as appropriate to promote common standards in the discipline;

2. Recommend the establishment of a trusted inter-agency and multi-stakeholder body, including the FTC, NIST, HHS, NSF, and experts from the private sector, civil society, and academia, to provide guidance and standards-setting for de-identification and the role of PETs, with particular regard to their utility for compliance with state and federal legislation; and

3. Encourage the establishment of Administrative Data Research Networks (ADRNs) that offer de-identification tools to facilitate researcher access to data in a secure manner.

Read the Comments

Meet Josh Lee Kok Thong, FPF Asia Pacific’s Managing Director

The Future of Privacy Forum (FPF) is thrilled to announce Josh Lee Kok Thong, FPF Asia Pacific’s new managing director. Lee is deeply passionate about the issues at the intersection of law, policy, and technology, and is a changemaker in the spheres of the law of tech, and the tech of law.

josh lee

As a legal architect that hopes to re-shape relationships disrupted by technology, Josh will lead a team furthering FPF’s mission of advancing data protection best practices and the trusted development and use of emerging technologies in the region.

Learn more about Josh in the Q&A below.

  1. Tell us about yourself. How did you come to be at FPF as the new Managing Director of our Asia-Pacific office? 

It all happened rather serendipitously. While pursuing my postgraduate law degree at Berkeley, I was asked to be interviewed for an article by the Singapore Global Network (a global networking community for Singaporeans set up by Singapore’s Economic Development Board). It wasn’t anything fancy–they had just wanted to feature Singaporeans in the Bay Area. After sharing the article on LinkedIn, Dr. Clarisse Girot (whom I had previously worked with while in the Singapore Government) reached out and put me in touch with  FPF CEO Jules Polonetsky; after our conversation, Jules said, “actually, we’re looking to have you in as someone more senior.”

The next thing I knew, I was connected to senior members of the team in FPF, and FPF offered me this role–which I was delighted but also very humbled to receive. It also came at a time when another global tech company had also provided an offer. All things considered, joining FPF was the right choice, as it offered me the opportunity and chance to build something unique and shape it based on my vision.

TL, DR: I’m grateful for the connections and coincidences that came together that made this role possible, and I am excited to help the wonderful team at FPF take the office–and its mission–forward!

  1. How do you see the role of the FPF Asia-Pacific office in the essential debates in the region on protecting personal data and advancing principled data practices in support of emerging technologies? 

I think the FPF Asia-Pacific office (or FPF APAC) will be able to play a key and essential role in these dialogues. 

Regionally, I see three fundamental shifts impacting the emerging technology and data protection landscape—first, the demographic shift. Second, the technological shift. Third, the regulatory shift. 

First, the sheer demographic gravity of the Asia-Pacific means that jurisdictions like China, India, Indonesia, and others – have not just the largest but also some of the youngest and fastest-growing populations globally.

With a young, highly digitally-savvy population that is more conscious and careful about how their information is being used and how technology impacts them, there will be a stronger impetus to implement or update data protection regimes across the region to adapt to the changing sensibilities of these constituents. 

Second, there are many technological developments occurring in the region. China is a world leader in AI and blockchain technology. Jurisdictions like South Korea and Japan are investing heavily in the future of the Web and media. In Hong Kong and Southeast Asia, fintech is revolutionizing how financial services are provided. With COVID-19 still fresh in everyone’s minds, healthtech is also an area with rapid development and opportunities. These technological developments, all of which rely on vast amounts of data, mean that trust in the collection, use, processing, and transferring personal data is a critical need for regulators, industry, and civil society.

Third, regulators in the region are, one, increasingly aware of the benefits and risks of emerging technologies; two, increasingly concerned about striking a balance between data innovation and data protection and control; and three, increasingly confident of regulating in a unique way that works for them. This comes amidst a backdrop of increased geopolitical focus on Asia, greater industry competition, and heightened awareness of finding a balance between innovation and technological risk–all adding to greater regulatory uncertainty in data protection and technology regulation.

Therefore, there is a significant role for FPF– through its unique approach of listening to governments, industry, civil society, and academia–to help foster the connections and dialogues critical to building trust.

We also want to use our unique centrist position – of focusing not on what appears good or bad, but on what is objectively important – to help regulators make the most informed choices on why, how, and when to regulate data and technology. We, therefore, want to be the most effective conduit, convenor, and collaborator in the region in this space. In short, when one thinks of technology, data protection, and trust, we want FPF APAC to be top-of-mind in this region. 

  1. What are your top three priorities as you take the helm of the FPF Asia-Pacific office?

To advance FPF’s mission, the APAC office will focus on three themes: continuity, construction, and visibility. 

First, continuity. Unlike other places where transitions spell sudden shocks to how things are done, the FPF APAC office will continue many of its key projects already embarked upon. These include continuing the office’s tremendous work on the 14 jurisdictional reports on consent regimes and monthly privacy landscape calls, among others. We also want to emphasize our desire to build upon and nurture relationships already built with existing stakeholders, even as we also foster new ones.

Second, construction. FPF APAC will seek to construct a regional ecosystem of members, partners, and friends that is able to share perspectives, intelligence, and insights. After all, in a huge region with a multitude of views and stakeholders, it takes more than just two hands to clap. This collaborative network of partnerships is ultimately how we can be of value to our members and stakeholders, and further FPF’s mission and vision in the region.

Third, visibility. To ensure that FPF becomes and remains top-of-mind in policy and regulatory discussions in the region, we want to be a lighthouse amidst the constant changes and shifts in this space. FPF APAC will focus on being the trusted partner and advisor in understanding regulatory and technology developments as they come, and understand how to convey this information across in the most digestible way possible–so that important insights reach members and stakeholders in the right place, at the right time, and in the right way.

  1. What are you reading or what podcasts are you listening to these days in relation to data protection?

We, The Robots by Professor Simon Chesterman, a respected academic in Singapore, on how and what policymakers should think about when thinking of regulating AI.

Interested in learning more about FPF APAC and the APAC Council? Contact [email protected] to connect with the FPF Membership Team to learn more.