Latest developments in APAC data privacy webinar transcript

Speakers:

• Hoi Tak Leung ("HTL")
• Tracy Wong ("TW")
• Geoff McGrath ("GM")
• Evan Lam ("EL")

HTL:

Good morning everyone.  Thank you for joining the latest Ashurst Digital Economy webinar for this year.  Data privacy – it's been a massive issue for many of us in society not just for us legal counsels.  And lately, speaking from personal experience, it's become an increasing part of the Digital Economy practice.  So recently when we were thinking what should we talk about in the next webinar that will… that's very influential for our clients and what our clients want to know, I think a common theme that came up was data and data privacy, so I thought what better way to spend a Wednesday morning in Hong Kong or lunchtime in Sydney than to gather my colleagues from APAC to discuss this issue.

Before we do that just a little bit of housekeeping and this slide sets out what you need to do.  In particular, we always welcome questions so please send through any questions you like.  We'll try to get to them in this webinar but if we don't get to it in this webinar, we'll definitely try to get to you directly with the answer after the webinar.  The other thing to keep in mind is that if you do want to apply for Hong Kong CPD points then… and if you haven't registered for the webinar using your full [legal] name then please send it through to us to our events team separately afterwards and we'll try to get that sorted for you.

So, what are we going to talk about today?  So joining me today… just a brief introduction to everyone that you see on the right side of your screen starting from top to the bottom, Geoff is a senior associate in our Digital Economy team based in Melbourne.  We've been working closely together on things to do with Asia and Australia and Geoff is one of our go-to people in our Australian team for anything to do with, not just data privacy, but data more broadly.  Australia is going through a massive open data journey for sectors beyond financial services that many of us in Asia may recognise so hopefully we can touch on that a little bit in the panel discussion later on, so welcome Geoff.

Evan is our Financial Regulatory partner in Singapore.  Evan and I have worked closely together on various fintech matters.  He's also our go-to person apart from data for crypto-related matters which probably not the scope of this webinar but hopefully Evan we get to talk about that another time.  So welcome Evan.

And finally, Tracy is our counsel in our Banking team in China, based in Beijing.  I think many of you will know that in anything to do with data, China is becoming one of the leaders in Asia for many reasons.  Whenever we have work in the data space with China I go straight to Tracy.  She's definitely our go-to person so thank you Tracy for joining us today as well.

So what are we going to discuss today?  Many of you may or may not know, I'm a counsel in the Digital Economy team in Ashurst based in Hong Kong.  I lead a lot of the kind of digital economy and data specific work across Asia, so as a general point I have always been a TMT or Digital Economy lawyer.  It's been about probably 14 years now, time flies, but one of the things that I've seen in the past few years, and you can see from the panellists that we have today, is that we're all working across practices and so it's been great to organise this cross-practice session today.  All of us are going to talk about a few of the key developments in our jurisdictions and that will be about 8 to 10 minutes each.  And then hopefully we will get about 15 minutes at the end to discuss some of the kind of regional trends in developments that we are seeing as well as hopefully get to some of your questions.  So let's get to it.

So what's happening in Hong Kong?  I am going to get things kicked off.  So a lot of things have been happening in Hong Kong so I think that's the kind of short answer, right?  But today I'm going to talk about three things specifically in my 10 minutes.  I'm going to talk about firstly the PDPO Amendment Bill that came through late last year.  I'm going to talk about the cross-border data transfer model clauses that the Privacy Commission in Hong Kong has just released, and finally I'm going to briefly talk about a couple of the upcoming developments that we might see this year.

So, first things first, PDPO Amendment Bill.  September last year LegCo passed a PDPO Amendment Bill.  Now, to give a little bit more background on this, before that, LegCo had in session discussed various amendments to the PDPO.  Many of you may know the PDPO is one of the oldest kind of data privacy laws in the Asia region – it came into effect in the late 1990s.  It's only been amended once since then.  It was amended in… until now; it was amended in 2012 mainly for direct marketing related provisions.  So LegCo discussed, "well we're going to make all these amendments to the PDPO".  They discussed a mandatory data breach, notification, amendments to cater for artificial intelligence and so on; so there were many amendments discussed.  Many of them were kind of following developments overseas.  So, many amendments discussed and then when the Amendment Bill actually came through late last year only one of those discussed amendments came through.  So this was to do with doxxing and also there were some kind 
of criminal and enforcement power changes.  So maybe two of the amendments came through, but the focus of this Amendment Bill was definitely on doxxing.  Now many of you may know doxxing is a release of… basically a release of personal data without the data subject's consent and so when you look at the PDPO Amendment Bill, what it covered was firstly doxxing, two offences and secondly an increase of investigative and enforcement powers for the Privacy Commissioner. 

So we've put the definition of the doxxing offence here, and you can see that the intention to threaten or intimidate or harass or cause psychological harm to the data subject, I mean that's very important.  And then there's also specified harm which is on the right side.  But just to go back a step if you can go to the previous slide please.  When the Government was explaining the rationale for this Amendment Bill, I mean that is the actual quote from their explanatory… from the equivalent of the EM, Explanatory Memorandum basically in Hong Kong.  And so it's very much an amendment driven by not kind of pure data privacy if you will.  I mean there's various other considerations behind this Bill as well.  Next slide please.  And then the next slide as well.

So a couple of the other amendments.  There's now kind of direct criminal investigation and prosecution powers – those go beyond doxxing offences.  And finally an introduction of a cessation notice regime where the Privacy Commissioner can compel takedown [of] content where they reasonably consider it to be a doxxing offence relating to a Hong Kong resident or person in Hong Kong.  Next slide please.

So, just to have a look at kind of developments over the past few months in particular.  So this only came into force late last year, late September.  So in June the Privacy Commissioner announced they issued more than 770 cessation notices for 14 social media platforms.  In May they announced they initiated their first criminal prosecution for doxxing activities.  And in May as well there was a lot of media speculation around the banning or takedown of Telegram – many of you know as a kind of anonymous, although not that anonymous messaging platform.  So you can see generally from these developments that the Privacy Commissioner is starting to exercise its powers when it comes to this Amendment Bill specifically.

And the last point in particular is probably worth looking at a little bit more if you are any kind of platform in particular.  One thing to keep in mind about the Amendment Bill is that it purported to apply on an extra-territorial basis.  Now on a practical level when we discuss with clients, if you're an entity that has no staff in Hong Kong, you have no service in Hong Kong, how are they going to enforce it on an extra-territorial basis remains to be seen.  I mean, to be clear, that last box is media speculation, although maybe it's one of those situations where there's a bit of fire behind the smoke perhaps, but it's an interesting theoretical point.

Now the other thing is that Hong Kong doesn't have a Great Firewall so to restrict access to a platform without affecting other platforms, I mean that’s going to be interesting to see.  So these are things that we don't necessarily have guidance to at the moment but we're keeping a close eye on.  Next slide, please.

And this will be relevant a little bit later on.  This is a quote from the Privacy Commissioner when they were talking about, generally, the Amendment Bill.  So this is another indication that the government in Hong Kong is focused on platform responsibility.  And we'll come back to that at the end of this.  Next slide, please.

So just very quickly on this, mainly because we'll have an article coming up very shortly on it.  The Privacy Commission has also released guidance on recommended model contractual clauses.  So there was guidance released previously on cross-border data transfers.  I think it was about 2014 or 2016 – it was one of those, so quite a few years ago.  Now many of you will know the PDPO has cross-border data transfer clauses but it has never come into effect.  

So the first key point to say about these recommended model contractual clauses is they're really recommended.  There's no cross-border data transfer provisions effective under the PDPO at the moment and there's no timing for it coming into effect.  It's been obviously a very long time now.  So that's something to keep in mind.  I think I've put a lot of text there but the key point for a lot of you guys who work regionally is that many of you would know ASEAN released their model data transfer clauses last year, late last year.  These clauses from the Hong Kong Privacy Commissioner is broadly similar.  Well, part of the article is actually kind of comparing the two, but to keep it short, they're largely aligned.

The other thing to keep in mind is that if you use these model clauses, and we'll get to this more in the article, but if you use these model clauses, data processes are going to push back on some of these clauses.  One set of these clauses is for data user or to data processor transfers.  Data processors will likely push back on them.  But look, we've incorporated many of these clauses into many commercial agreements.  If you're using the ASEAN clauses already, these are not that much difference.  Next slide please.

So finally a couple of areas that I think we're looking to see or maybe see in the next six to 12 months in Hong Kong.  There's a lot of discussion from the government in Hong Kong about a new cybersecurity law.  At the moment there is no standalone cybersecurity law.  At a recent policy address they said it.  And various, kind of, high level, figures in the government have said it.  Basically the Security Bureau is currently preparing a draft cybersecurity law for circulation at LegCo.  And there's been public comments that they're aiming to release this for public consultation by the end of the year.  To be clear, I have no idea what the public consultation will look like, in what form it will look like.  So best for me not to speculate but that's what they've said.  They said that there will be a public consultation on it.  Government figures have acknowledged that cybersecurity can encompass many aspects.  But this is a quote from the government – they focused on critical information infrastructure operators and also the previous quote regarding platform operators.  So Tracy, later on, will talk more about this but for many of you who work in China, data privacy critical information infrastructure operator, that's a very familiar term to you.  Next slide please.

And finally, just very briefly, Hong Kong, the outgoing chief executive has also announced that they're working on fake news legislation.  This is a quote from the outgoing chief executive.  This was only in May.  There's no timing for this so we'll see what happens.  And one thing that I haven't put on this slide, because this is more speculatory, but there's a lot of informal discussion around whether the Privacy Commissioner will go ahead with the other discussed amendments to the PDPO, the ones that I mentioned right at the beginning of this presentation.  I don’t have any insight on that but that's also something that we're looking out for in the upcoming period.

So that's it from me.  And then, welcome Tracy, and now Tracy will discuss some of the developments in China.

TW: 

Thanks Hoi for the introduction.  I'm very pleased to be here today.  Today I'm going to focus on three topics which will be shown on the next slide, that are most relevant to international companies with Chinese customers, operations or business counterparts.  For anyone who has not been following this space or China specifically, from a data privacy perspective, there may be some background information or jargon that do not make sense to you.  If so, please feel free to drop me a line afterwards if you need clarification or have follow-up questions.

So when PIPL was passed last year it had left many questions unanswered and details to be worked out in implementation roles, which will be and are still being prepared.  Unlike many jurisdictions where data privacy regulations are relatively standalone, the Chinese data privacy legislation is formulated against the background of a rather legislative and regulatory effort on data and cybersecurity where the sovereign control of certain key data is given priorities.

However, over the last few years, since the passing of the cybersecurity law in 2017, there has not been sufficient clarity on the boundaries of what can and cannot be freely transferred between different entities and cross border.  And the debate even goes on until today.  This explains Chinese data privacy legislations which, on the one hand, it adopts many principles and standards that are similar to GDPR or other globally recognised privacy regulations; but, on the other hand, it also empowers the regulators the right to carry out cybersecurity review and the discretion to impose limitations on data export or cross-border transfer.  And there's always the question about how far the regulators can go in that respect.  International businesses are facing challenges both for their onshore operations in China as well as from a cross-border data regulation perspective.

With the roles being unclear it may be difficult to quantify the risk of intrusive PRC cybersecurity measures.  A typical example is the cybersecurity inspection against Didi last year which eventually resulted in the company's decision to delist from the New York Stock Exchange.  Didi's alleged breaches included illegal collection of end users' personal data, but it was understood that data privacy breaches alone was not the main cause leading to the penalties. 

This being the case, we observe that there are signs in latest legislation that the regulators are conscious of not letting the scope of important data expand too extensively.  Important data is a concept that automatically triggers a mandatory risk review on cross-border transfer.  After years of efforts trying to define the scope of important data, the latest drafted guidelines and specifications have finally made it clear that first, personal data is generally not considered important data.  Therefore it is generally okay to be transferred to overseas once it meets certain standards which we'll come back on later.  

It has also been made clear that data that only concerns or affects specific organisations or individual citizens is generally not considered important data either.  There must be a direct causal link between the impact on national security, the economy, public health or safety or some specific industry or other macroscale interest, and the breach of important data protection rules.  And this has effectively narrowed down the concept of important data which at one point was left to be defined by secretarial regulators without any unified standards, which caused the many practical uncertainties and open interpretation of the rules by different stakeholders.

Another development is that despite the PIPL having extra-territorial effect, based on our observation, since the passing of PIPL, the Regulator's law enforcement actions have been on domestic operations.  So far we have not seen any cross-border law enforcement cases being data privacy alone.  Since it has not taken any actions on reviewing, for example, offshore online platforms, privacy terms, contracts or data privacy practices, therefore to date there has not been any penalty that is compatible to the GDPR fines against global technology giant companies.

This gives international businesses more lead time to study the roles and achieve substantial compliance on the basis that hopefully more clarity in the roles that will continue to be released.  On the other hand some international businesses having onshore operations have been imposed much more severe penalties for breach of data privacy regulations.  Previously it was rare to see big fines but recently we have seen several penalties including foreign banks, a China subsidiary being fined $16 million RMB for data privacy breaches.  Next slide please.

So in the next few minutes I'll quickly go through some latest developments on each of the three options for cross-border transfer of personal information.  So under the PIPL there are three options listed out.  One being completing risk review by the CAC, or having standard contractual clauses with offshore data receiving parties, or obtaining a personal information protection certification from an agency.  As of today there are not sufficient details about how the three different routes can be pursued and the detailed steps.  But there are some developments that I can share with the audience today.

The first notable development is some new draft guidelines released recently for the third option, personal information protection certification.  A certification could be applied for an intra-group transfer of personal data or processing of personal data by an offshore entity of PIC data subjects on a cross-border basis, where the Chinese onshore data exporter or an onshore designated affiliate should apply for this certification and assume all data protection liabilities.  The certification requirement is voluntary under the draft rules.  The rules also require the onshore and offshore entities to enter into contractual terms containing some baseline contents.  Although such contracts are not the China version SCCs, under the second option, it is likely though that the SCCs could include similar contents.  So multinational companies could start using these as reference points.  

For the China version SCC, in the draft regulation on cross-border data transfer, dated October last year, some key contents are required to go into the contract for cross-border data transfers.  However the draft rules have not distinguished provisions of a transfer of personal information from those for non-personal commercial data, so it's not clear whether the requirement applied to both scenarios and if SCCs will definitely cover these requirements.  These draft rules remain in consultation form until today.  In the interim though many international institutions have taken steps ahead using these draft key requirements and incorporating them into either their GDPR, SCCs or other in-house template of data protection provisions, such that they have started implementation of what is expected to be similar measures in preparation for the release of the China version SCC.  We believe this is a proactive approach.

And lastly for the cross-border data transfer risk review by the CAC, similarly some drafted thresholds for mandatory review have been released, but there's currently no visibility to the detailed procedures.  It is however expected that other than the prescribed scenarios where mandatory risk review applies, CAC-led security review is not designed to be a routine process for a cross-border transfer of personal information.  And this means that personal information protection certification or the SCCs will be the usual and preferred approach for cross-border transfer of personal information.

On this note I'm going to pause here and hand over to my colleague, Geoff, who will discuss Australia.

GM:

Thanks a lot Tracy.  So moving to Australia, there's three key things that are worth discussing in this short timeframe that we have.  First, a review of the Privacy Act that's undergoing at the moment.  Second, some recent cases and determination that we've seen come through in the last year or so; and more broadly looking at some of the things that we're seeing with recent law changes in the privacy space within Australia. 

So moving to the review of the Privacy Act, this is probably the main one, and for privacy lawyers in Australia it's certainly a very key piece of discussion that's ongoing at the moment and has been ongoing for some time.  There was an Issues Paper that was released and then also a Discussion Paper late last year.  And we have a feel for what this will likely cover but we don’t have an understanding of exactly the type of reforms that will come out of this Privacy Act review at the moment.

There are some really big themes that do come out of it though.  One, we're looking at changes or filling of gaps in the current privacy laws – for example, changes to the definition of personal information.  And then also additional changes to a new restricted practices regime – looking at how we deal with information about children, location data, large scale data use and automated decision making as well.

The other thing that's been looked at as part of this Privacy Act review is the addition of more rights or rules that are similar to what we're seeing in other regimes, in particular the GDPR and things like uplifting the standard of consents in Australia,  adding specific rights to object to processing for particular purposes or to withdraw consent, adding a specific right to erasure of personal information, undertaking assessments of secondary uses and recording those.  But even though there's a large amount of things being, dare I say "borrowed" from the GDPR here, it's not something that the government is looking to do to seek adequacy under the GDPR.  It's not the case here that we're making a GDPR life or a similar GDPR in Australia.  It is the case that we will see a continuing development or building of Australia's own path in privacy legislation which raises some interesting challenges for organisations that are looking to work out how they align their privacy compliance practices across different jurisdictions.  

And that brings us quite neatly to the cross-border transfers aspect of this review as well.  And both Hoi and Tracy had mentioned cross-border transfers and standard contractual clauses in their jurisdictions.  Under the Australian regime there's a slightly softer cross-border transfer requirement and the standard contractual clauses mechanism isn't something that's currently included, but that is being considered in a little bit more detail as part of this review.  

The other thing that we may see some more movement on from the Australian perspective is adoption of the APAC Cross-Border Privacy Rules. And that brings in a number of different jurisdictions on a standardised set of privacy rules for cross-border transfers and was actually the subject of one of the commitments in a recent visual economy agreements between Singapore and Australia – [a] recent trade agreements to actually commit to use the CDPR and promote it within their jurisdictions.  So we may see some more changes in that space.

The other thing that we're likely to see under the Privacy Act review is the addition of new rights and remedies.  The big headline one there is that the government has committed to increase the penalty under the Privacy Act from approximately $2.2 million to the greater of $10 million, three times the benefit or 10 per cent of annual turnover – which is a much more significant, stick as you may have it, in terms of enforcement of privacy obligations.

The other key thing here is the introduction of a direct right of action under the Privacy Act.  Currently, for the most part, there's no ability to bring a claim against another organisation for breach of the Privacy Act.  That's something that is undertaken by the Information Commissioner, by the Regulator.  By adding a direct right of action under the Privacy Act, what we're doing here is possibly opening up the doors for class actions as well to be brought under the Privacy Act.  And that's particularly important when you're talking about data breaches and the expansion of data breaches in Australia and global data breaches.  

If we could go to the next slide, I'll then talk about some of the key cases and determinations that we're seeing at the moment.  The first one here is really on this topic of extra-territorial application of the Privacy Act.  And that Facebook case that's mentioned there is important for a number of reasons in Australia.  Not least that it is the first instance of a Privacy Commissioner seeking pecuniary penalties under the Privacy Act and we will see some interesting moves come out of that once the case continues.

But the issue on the table for that particular decision was around the extra-territorial application of the Act to Facebook's US entity, Facebook Inc., which has no legal presence in Australia, is not domiciled in Australia, doesn't operate per se in Australia.  But the Information Commissioner's view here has been quite broad typically around the extra-territorial application of the Privacy Act.  Under the Privacy Act you can be found to be subject to the Privacy Act if an organisation is, one, carrying on business in Australia and, two, collecting or holding information from Australia.  So those two limbs of that test were tested quite a bit in this Facebook case and in this particular instance even the act of installing cookies on devices, mobile devices or computers in order to deliver targeted advertising, was bringing the actions of Facebook enough into the realm of carrying on business to bring on the extra-territorial application of the Privacy Act.  

That is quite a large leap and it's something that the Information Commissioner has been applying in similar contexts as well: one, in a determination in relation to Uber mid-last year; and then also late last year another determination in relation to a company called Clearview AI.  The Clearview AI one brings me quite neatly to the next set of determinations that we are seeing in Australia and that's the use of facial recognition technologies [which] is really seeing quite a lot of interest, both in the media but clearly here from the Regulator as well.

Clearview AI, as some of you might know, received a lot of media attention a couple of years back because it was developing a very large database of facial images right across the world, essentially scrapped from anywhere on the internet – from social media sites, from storage sites, from anywhere where photos might be available.  They were being scrapped from the internet, put into a large database and then sold to law enforcement in order to assess whether or not a particular person might've been found within the internet and to identify those people by their social media profiles.

So the Australian Information Commissioner and then also the UK ICO had a joint assessment of Clearview AI and Clearview [AI] was required to pay a penalty in the UK.  And [the Australian Information Commissioner] also had a determination against it here in Australia in relation to the collection of these facial images and in particular the biometric identifiers that are created from the facial images without an individual's consent.  That was then extended as well, here in Australia, to the Australian Federal Police who had been using that technology on a trial basis, and had not undertaken sufficient privacy impact assessments in relation to the use of that technology.

There's quite a lot of discussion there from the Regulator around the use of that technology.  That's also been seen in other areas, particularly in retail, so 7 Eleven also had a determination made against it late last year in relation to a similar technology being used in its stores.  And then we've seen very recently other retail stores being investigated by the Information Commissioner in relation to the use of facial recognition technology for loss prevention, so working out whether or not someone is going into stores and stealing things.  

If we got to the next slide, just to wrap this up very quickly, there are some key things that we're seeing out of all of these things.  The Information Commissioner is being an increasingly active regulator, but it's still not overly well funded and not overly active in comparison to other regulators.  The Privacy Act review might change this but in the gap, we're seeing other regulators jumping in and also bringing actions and concerns around privacy and data related matters.  In particular the Competition and Consumer Commission has investigated both Google and Facebook on various privacy and data related matters.  

And bringing this all together, the recent regulator focus, the Privacy Act review that I've spoken about and a number of those laws and reviews that are listed on the slide there, we are seeing organisations start to reconsider their privacy compliance frameworks and how to integrate various regimes together when it's not just a single regime and work out how to really address those increasingly visible privacy issues that we're seeing.  And on that note I will hand it over to Evan who has a couple of slides on the Singapore side of things.

EL:

Thanks Geoff.  So let's hop over the pond to Singapore now.  So there's been quite a lot of discussion on various related issues to data privacy and stuff like cybersecurity is in the spotlight.  There is a new licencing framework for cybersecurity providers.  There is a review ongoing for the cybersecurity code.  And I think for those of you who have been keeping track of the news, you've seen that, in just recent days, there has been a new consultation for a code on social media practices which essentially allows our Regulator to block content that it considers dangerous to persons in Singapore.

So this is definitely a hot topic.  It's definitely an area of intense scrutiny by various agencies.  But I think what I'd like to focus on today, if I could maybe flip to the next slide, is the amendments to the Personal Data Protection Regime, some of which came into force last year, some of which is not yet enforced, and I think this is the thing that has the most immediate impact up for most of you on the line.  So this is a very quick overview of the main changes that came in.

On the left we've got the Mandatory Data Breach Notification Regime which I'll speak a bit more about because that's fairly important.  And the other sort of things that came in are basically alignments that bring Singapore a bit closer to what we see for the GDPR.  So it's stuff about de-consent and implied consent, which is all quite beneficial but all quite subject to the need to do some kind of internal evaluation of legitimate purposes.  So again, very similar to exercises you'll see going on in the EU.  I think, most importantly, there is, on the right-hand side of the slide, this kind of idea of enhanced financial penalties, that haven't come in yet, but we'll see that.  Again, this is a move towards alignment of the GDPR with fines being increased quite materially.

The other interesting thing of note is the Data Portability Obligation.  I'm not going to speak very much on that because it's all going to be subject to consultation.  But essentially that is a right of an individual to go to an organisation and say, "Hey you have information, personal data that belongs to me, I'd like you to share that with somebody else".  So the good thing for organisations is that it is at the request of the individual and there is expected to be protections and a standard in place, that means that you don’t have to port the data without warning.  But again, the details will be worked out in consultation and that's just something to keep on the radar in future.

So I'll flip to the next slide just to talk a little bit about this data breach reporting obligation because, in the past, the position in Singapore before this came in, was that there was a voluntary scheme.  The mandatory scheme basically echoes the voluntary one and it was intended as a bit of a phased approach where people would get comfortable with the voluntary reporting regime and that they would switch to mandatory.  And again, the principles that we see here are based on this idea of there being significant harm.  So you only report it if the breach either causes significant harm to a particular individual because it, for example, involves the disclosure of sensitive personal data and/or the breach was on a sufficient scale and the kind of guidance provided is a 500 person or more marker – in which case there is an obligation to report to the Data Commissioner.

So moving onto the next slide, just a very quick overview of the timeline now.  It's a fairly generous timeline I have to say because the clock only really starts ticking when you've actually assessed that the breach is a reportable one.  As you can see on the left-hand side of the slide, once you detect the incident, you then have a period of time to determine whether or not it's a data breach.  And although you're supposed to act without undue delay, you generally have about a 30-day time limit for you to assess the nature of the breach and see if it falls within one of the reportable categories that I mentioned earlier.  And assuming it then does, you then have three days to notify the PDPC.  What we usually tell people is that you do have to assess whether you need to notify the affected individuals but you can also apply to the PDPC for guidance and directions on whether to notify the individuals involved.  So it is a move-as-quickly-as-you-can timeline but not a mad scramble and worrying about being in breach because you missed a one-to-two-day reporting timeline.

Now moving on to the next slide.  This is something that's not in force yet, it's the increased maximum penalties that I mentioned.  You'll see that the current position is basically a flat $1 million fine, Singapore dollars for organisations.  And now we're going to be moving on to the amended position once this comes in to, again take a very GDPR-type metric, which is kind of pegged to the annual turnover in Singapore of a particular business.  So obviously for large businesses with a large annual turnover, that is going to be a significant portion of your turnover in Singapore because it's 10%.  

The first bullet under the amended position is the substantive obligations under the PDPA.  So it's stuff like your failure to get consent, your failure to protect the data within your care or transferring it cross-border without insuring that there is equivalent protection on the other side.  The second bullet is kind of what is a bit more unique to Singapore I think.  So the first is to say, do not call the registry – whenever you call a particular number and send a marketing message to that number, you get in trouble.  And the other one is dictionary attack.  So you can see that for that particular, those two particular offences, the threshold is a little lower but it's still going to be a fairly high one if you've got an annual turnover of more than $20 million in Singapore.  So you'd be looking at a minimum $1 million penalty and possibly going up further if you've got a larger annual Singapore turnover.  

There is a significant amount of engagement of IT service providers offshore.  And so cross-border, it's definitely still within the scope of everyone's concern.  And because it is not a terribly high bar to ensure that data's protected when your transfer contractual clauses are sufficient to the structural obligation.  We're not seeing people structurally change the way that they deal with data.  In fact everyone's moving towards more of a cloud-based system, it's an incumbent tech risk as well.

GM:

Yeah.  One of the things we are seeing in Australia, it's a similar position but there's this overlay of particular areas or particular sectors where the government is showing a little bit more interest in, and as a result is imposing either a strict or at least a quasi-localisation requirement.  In one area in relation to Foreign Investments Board Review Decisions, where there are foreign investors purchasing Australian businesses, we're seeing more and more conditions to the government's approval which put in place data localisation requirements.  Particularly where the data being held or used is significant amounts of Australian individual's personal information.  We are seeing some requirements for specific transactions for specific businesses that the data be localised.  And that's a very interesting and quite challenging issue for some of these businesses which will have large usage of cloud-based services, as Evan was saying, and would have in place a lot of these offshore transfers already.  Having to scale it back in order to comply with the Foreign Investment Board Review Decision, is actually mounting quite a significant challenge for those investments in Australia.

TW:

From a China perspective, although there's still a level of uncertainties in the law, on a high level basis, data localisation requirements expect you to apply to most of the scenarios where CSE-led cross-border data transfer security review is required – that is when it comes to data of CIO, Critical Information Infrastructure Operator as Hoi just mentioned, important data or data processors that exceed certain thresholds in handing personal information.  So you would see in the news that, giant technology companies like Apple, Amazon, they all have their data centres located in China.  So although in some cases the data can still be transferred to overseas after the government security review – for example, recently there are proposals for offshore listings to go through CAC security review – the default position is expected to be that such data is normally expected to be stored within China locally.

HTL:

Thanks so much all of you for your sharing on that and I see that we only have a few minutes remaining.  So the most important question I have for each of you is, all of you have practices that go beyond just data privacy or data, and you guys do a lot of work in fintech and financial services.  Geoff, in your case, any digital economy industry as well.  I was hoping each of you can share, just what you're anticipating in the next six to 12 months, whether it's in relation to data, fintech, other technology law areas that you're focussed on.  Just share what you're looking forward to in the next six to 12 months, for the audience.

EL:

So this is what we call the dark side of fintech.  So clearly fintech is all the new products, we're very excited about that, but equally as we introduce technology into financial services it comes with risk.  That is definitely an area of scrutiny for MAS and we've seen stuff like the recent scams that happened in Singapore with SMS phishing and stuff like that.  So that is an area that's definitely been reviewed and consulted on in terms of what measures financial institutions can take to protect customers from that sort of attack.  And MAS is constantly reviewing the Technology Risk Management Guidelines, so again their cloud services and vulnerabilities of little attacks.  All of that is constantly a space that's just evolving and the more we introduce technology into that, really, the more the risk gets involved.  It's become quite standard for persons to engage quite extensively with consultants of how to build robust IT security systems.  It's no longer just slap a 2FA on it, it's a full-blown review of all your internal processes as well.  There are also questions about corporate data.  In Singapore banking secrecy is a huge thing and that covers corporate data, and generally under a general confidentiality law there is also an obligation to just keep information confidential.  So all of that gets exacerbated when we introduce technology which is vulnerable to attack.  So, in a nutshell it's important.

TW:

For China we have started to see some restrictive data and cybersecurity measures being imposed on fintech businesses.  For instance the Chinese Securities Regulator, CSRC, recently released draft rules on the regulation of data and cybersecurity in the securities and futures industry.  The draft data and cybersecurity requirements not only apply to securities in future exchanges, brokers, clearing and settlement firms etc., it also expressly extends to technology firms providing services to these entities.  Tech or fintech firms will need to be filed with CSRC and be prepared to [audio cut].  

HTL:

Geoff you might have to… oh Tracy, keep going.

TW:

So fintech firms will be heavily regulated from a data cybersecurity perspective, at least for securities and futures industry.  We have not seen other financial regulators releasing similar requirements, and on the other hand these requirements may effectively exclude some foreign technology service providers from providing IT services to PRC securities and future firms cross-border.  So for any pending deals it may be the best time to close them in the next few months, due to the more stringent rules that would be forthcoming.

GM:

Interesting.  Very, very quickly from the Australian perspective.  Evan mentioned data portability in Singapore, and Australia has its own data portability regime of consumer data rights which kicked off with open banking about two years ago now and that's really starting to roll out.  And what we’re seeing is the expansion of the consumer data rights from other sectors.  Energy will start later this year and also telecommunications.  The next one that we'll see off the ramp, after telecommunications, is what they called open finance, so expanding it to non-bank lenders, insurance, possibly superannuation.  And so we're likely to see some really interesting moves in that space and quite far ahead in Australia here in terms of the open banking push to get to some other jurisdictions.  So it could be an interesting one to watch from the APAC regime generally.

HTL:

Thank you so much Evan, Geoff and Tracy for your sharing.  From my end, to keep it short, I'm looking forward to continuing to work with all of you, working across sectors, working across different industry verticals.  So much happening in all of these data privacy and protection areas.  We haven't even gotten onto the valuation of data in corporate transactions – we'll leave that for a separate panel but that's an equally interesting discussion.  

Thank you so much to the audience for joining us this morning.  Please fill in the feedback form if you can after we conclude, it always helps us to do a better job next time around and if you have any topics you want us to get to let us know.  We see all your questions below, we'll get to them separately as well but for now, thank you for joining us this morning and any questions, look us up separately. 

Thank you so much.