Throughout Asia, it’s clear that the European Union’s GDPR privacy regulations, which apply globally when handling EU residents’ data, has marked out many of the ground rules in how to handle privacy laws. But although there are some common elements, there’s no overarching uniformity. Sovereign countries have their own data-protection frameworks and focal points when it comes to regulating privacy.
And although there is some movement to better align local regulations with GDPR, some countries are actually further ahead of the EU on certain aspects of privacy regulations. “There is a miss misunderstanding that the EU is the highest standard. It definitely is in some areas, but in some areas, definitely not,” says Miriam Wugmeister, a Morrison Foerster partner and cochair of its global privacy and data security group. For example, “countries such as South Korea, Japan, and Singapore are the leaders in terms of data security. On data localization [a.k.a. data sovereignty], China’s way ahead of Europe,” Wugmeister tells CSO Online.
The move to greater consistency at the same time as increased local variation will pose challenges to businesses throughout the world when doing business in Asia, making some efforts easier to scale across the region but still requiring custom implementations around data protection and privacy.
Where GDPR has influenced Asian data-protection laws
Data-protection legislation in Asia has been influenced by the 1980 version of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” says Peggy Chow, counsel at Herbert Smith Freehills Singapore. “Most Asian data-protection regimes are principles-based and follow the main principles around choice and notice, consent, data minimization, use limitation, retention and destruction of personal data, and cross-border data transfer restriction,” she says.