APAC TMC Update  – Autumn 2021



Temporary amendments allow electronic execution of documents, virtual meetings

The Treasury Law Amendments (2021 Measures No.1) Bill 2021 (Bill) was passed and came into effect on 14 August 2021.

Arising from the uncertainties caused by COVID-19, the Bill provides temporary relief related to conducting meetings, executing documents, etc., via electronic means. In particular, companies may now use technology to hold meetings (including Annual General Meetings), distribute relevant meeting materials through electronic means, and execute documents electronically.

This is in addition to the permanent amendments related to certain disclosure laws.


Draft amendment expanding the scope of cybersecurity review

The Cyberspace Administration of China published draft amendments to the Cybersecurity Review Measures on 10 July 2021, only days after it launched China’s first cybersecurity review on the online car-hailing platform Didi and other online service operators.

Under the currently effective Measures, cybersecurity reviews mainly focus on the supply chain security of critical information infrastructure (CII) operators. CII operators must go through cybersecurity reviews if they purchase any network products or services that impact national security.

The draft amendment proposes including data compliance in the review scope, with a particular focus on the unauthorised access or control of core data, important data and large-scale personal data by foreign authorities or organisations. In particular, if an operator who controls personal data of more than one million users wants to conduct an IPO in a foreign country, it must go through the required cybersecurity review.

Please click here for the full text (Chinese only) of the draft amendment.

New rules issued for network product security vulnerabilities

The Ministry of Industry and Information Technology (MIIT) together with two other authorities issued the Regulation on the Management of Network Product Security Vulnerabilities on 12 July 2021. The regulation came into effect on 1 September 2021.

The regulation requires a supplier of network products (both software and hardware) to assess the potential impact and consequences in time after it identifies any security vulnerabilities in its network products, report to the MIIT within two days, notify upstream suppliers where necessary, guide users to take mitigation and remedy measures, and provide necessary technical assistance. The regulation also requires organisations engaged in the gathering and publishing of security vulnerability-related information to follow a series of rules when publishing the relevant information, in order to prevent inaccurate or inappropriate reports or secondary damage from taking place. Other ordinary network operators should continue to follow security operation obligations under the PRC Cybersecurity to monitor security vulnerabilities during operations and maintain relevant logs for at least six months.

Please click here for the full text (Chinese only) of the draft amendment.

Judicial interpretation issued enhancing face information protection in civil cases

On 27 July 2021, the Supreme People’s Court of China published the Judicial Interpretation on the Application of Law in Civil Trials concerning the Application of Facial Recognition Technologies in Personal Information Processing, which specifies face information as a special category of “biometric information” that must be subject to strengthened data protection requirements. The interpretation took effect on 1 August 2021.

The interpretation identifies a series of activities that infringe the personality rights of individuals and violate personal information protection law. In particular, the interpretation emphasises the principle of necessity and minimisation, with an aim to prevent excessive collection of face information (e.g. in public areas or in the real estate industry). The interpretation also emphasises the importance of obtaining informed and specific consent from data subjects, and identifies a few circumstances under which consent will no longer be a lawful basis for the processing of data (e.g. where a data subject consents to a “bundled package” of processing activities including the processing of face information).

Please click here to read a Law-Now article for more details.

China publishes protection measures for critical information infrastructure

On 17 August 2021, China's State Council published Security Protection Measures for Critical Information Infrastructure (CII), which took effect on 1 September 2021.

Sectoral regulators must formulate rules for identifying CII within their respective jurisdictions, notify operators of the identified CII and file records with the Ministry of the Public Security. Factors that sector regulators can consider during identification include network infrastructure and information systems that are important to the sector and core businesses in the sector; the degree of harm that may be caused if network infrastructure and information systems are damaged, impaired or breached; and any potential associated impact that these breaches may have on other sectors.

The measures establish high security protection requirements for CII operators that are based on the PRC Cybersecurity Law. Please click here to read a Law-Now article for more details.

Hong Kong

The Personal Data (Privacy) (Amendment) Ordinance 2021 took effect on 8 October 2021

On 8 October 2021, the Personal Data (Privacy) (Amendment) Ordinance 2021 (the “Amendment”) came into effect to combat doxxing. Doxxing is the act of publishing private or identifying information about an individual on the Internet, typically for malicious purposes.

Under the Amendment, it is an offence for a person to disclose any personal data of a data subject without the data subject’s consent. It should be noted that the new provisions protect both the data subject and their immediate family members. The penalty on conviction on indictment is to a fine of $1,000,000 and imprisonment for five years, or on summary conviction to a fine of $100,000 and imprisonment for two years.

To facilitate enforcement of the doxxing offence, the Amendments empower the Privacy Commissioner to carry out criminal investigations and initiate prosecution without the need to refer cases to the Police or Department of Justice. The powers include (1) requesting relevant documents, information or things from any person, or require any person to answer relevant questions to facilitate an investigation into certain offences; (2) applying for a warrant to enter and search premises and seize materials for the purposes of a specified investigation; and (3) prosecuting in its own name cases of suspected contravention of the new doxxing offence and other offences under section 64 of the PDPO or failure to comply with the Privacy Commissioner’s requests related to criminal investigation.

Furthermore, the Amendment confers on the Privacy Commissioner statutory powers to demand cessation of doxxing content. The Commissioner will specify in the cessation notice the concerned doxxing content, notify the person what rectification actions to take, and stipulate a deadline for compliance. An appeal mechanism against a cessation notice is in place to allow any person affected by the notice to make an appeal not later than 14 days after the notice is served.

e-HKD, the future of digital currency?

The Hong Kong Monetary Authority (HKMA) is exploring the feasibility of a digital currency called e-HKD that will allow the public to shop, dine or transfer money electronically, bringing Hong Kong one step closer to becoming a cashless society.

On 4 October 2021, the HKMA issued a technical whitepaper on retail central bank digital currency (rCBDC) as part of Project e-HKD. In addition to working with peer central banks on the cross-border application of wholesale CBDC, the HKMA is studying the prospect of issuing rCBDC in Hong Kong. This project is comprised of two components, namely, a technology experimentation study and a comprehensive study of other issues including legal and policy considerations.

The proposed architecture is comprised of two layers: (1) a wholesale system where the central bank will issue and redeem CBDC; and (2) a retail system for commercial banks to distribute and circulate either rCBDC or CBDC-backed e-money. When designing the proposed architecture, the HKMA was guided by three overarching principles: safety, efficiency and openness to change, innovation, and competition.

Please click here to read the whitepaper for more details.


Developing: New IT Rules challenged in court; rules 9(1) and 9(3) stayed

On 14 August 2021, the Bombay High Court found that rules 9(1) and 9(3) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (IT Rules 2021) were prima facie in violation of the petitioner’s constitutional right to freedom of speech and expression. Consequently, the Bombay High Court granted partial interim relief to the petitioners, granting a stay on rules 9(1) and 9(3), pending the hearing on 27 September 2021.

Other challenges were also mounted against IT Rules 2021 across the country. The central government has reportedly filed a transfer plea for all pending cases to be heard in the Supreme Court of India.

Rule 9(1) relates to the requirements of publishers to adhere to the Code of Ethics annexed to the IT Rules 2012, and Rule 9(3) provides for a three-tier structure in ensuring observance and adherence to the Code of Ethics, and for addressing the grievances made.

New Zealand

Establishing a consumer data right; giving individuals and businesses greater choice and control over their data

On 5 July 2021, the New Zealand government decided to implement a consumer data right (CDR) framework, which allows consumers to consent to the sharing their data with trusted third parties through standardised data formats and interfaces, and for consumers to gain access to a wider range of products and services that better meet their needs.

Key information on this CDR framework include the following:

  • Framework limited to designated sectors, specific types of data: Basic obligations are to be introduced via primary legislation, applying to those within a designated sector. Designations will specify the type of data covered, and the functionality that is enabled. For example, if the banking and financial services sector were designated, obligations may apply to specific data such as bank account information.
  • Ensuring security, third party accreditation: To secure data transfers, consumer privacy, and commercial confidentiality, accreditation of third parties will be required. A range of information protection safeguards will also be introduced.
  • Consumer data rights: Consumers may consent to (a) read access – the ability of an accredited person to read consumer data: and (b) action initiation – the ability pf an accredited person to carry out an action with the consent of a consumer (e.g. to allow a third-party payment provider to conduct a funds transfer when the consumer is paying for goods or services).
  • Express consent requirement: Consent must be expressed (through a clear opt-in), informed, and time-limited. Consent for purposes beyond providing the goods and services requested must be optional. Consumers must also be able to review, amend, or withdraw consent at any time.

With the aim of making a second round of detailed policy decisions in late 2021, the government plans to introduce legislation on the CDR framework in 2022.


Singapore High Court clarifies the scope of “loss or damage” in private action under the data protection law

The Personal Data Protection Act 2012 (PDPA) provides for a right of private action by an individual to claim damages for loss or damage as a result of a breach of the data protection provisions under the PDPA. In the decision of Bellingham, Alex v Reed, Michael [2021] SGHC 125, the Singapore High Court recently explored the scope of this provision. In particular, the High Court considered the scope of “loss or damage” pursuant to the right of private action under (the previous) section 32 (now section 48O) of the PDPA. This matter arose from Bellingham's use without consent of Reed’s personal data, where Bellingham had used the personal data of Reed (i.e. name, and investment details) obtained from Bellingham’s previous employment where Reed was a customer.

The High Court held that while Bellingham had contravened sections 13 and 18 of the PDPA (on consent and the limitation of purpose and extent), it was found that Reed had not suffered any “loss or damage” as required under section 32(1) of the PDPA. In particular, “loss or damage” under the said section is “limited to the heads of loss or damage under common law, and does not include distress or loss of control over personal data”.

Notably, Bellingham also argued that Reed’s email address was obtained via Reed’s LinkedIn account, which was a public source. While it was not disputed that Reed’s LinkedIn account did show his email address, Bellingham conceded that he would not have been able to find Reed’s email address without the use of Reed’s name. As such, the High Court found the publicly available exception does not apply if such publicly available personal data is obtained through the unlawful use of other personal data.


Regulation on cross-border advertising activities took effect 15 September 2021

On 20 July 2021, Vietnam issued Decree No. 70/2021/ND-CP (Decree 70) to amend and supplement the Law on Advertising, Government’s Decree No. 181/2013/ND-CP, regulating the provision of cross-border advertising activities in the country. An indicator of whether a foreign organisation or individual is providing such cross-border advertising services relates to whether revenue is generated in Vietnam from the provision of such advertising services.

Decree 70 requires foreign organisations and individuals to notify the Ministry of Information and Communications directly, either by post or electronically, 15 days before providing cross-border advertising services in Vietnam with information including the name and business address of the organisation, and the location of the main server system providing services.

In addition, Decree 70 also imposes compliance obligations on foreign organisations and individuals providing cross-border advertising services, including the need to take down and remove illegal information upon request, and to provide information to the competent agencies on request if any cross-border advertising activities are in violation of the law.

Co-contributed by Eugene Wong.