Comparison of Consent and Other Legal Bases to Process Personal Data across the Asia-Pacific by the Future of Privacy Forum
In September 2023, the Personal Data Protection Commission (“PDPC”) in Singapore provided the findings of a comparative review created by the Future of Privacy Forum (“FPF”) and the Asian Business Law Institute. The review compares consent and other legal bases under data protection laws across 14 jurisdictions in the Asia-Pacific.
Key findings from the review included the following:
- Consent is the only shared legal basis for data processing across the Asia-Pacific for processing personal data.
- Including consent, the FPF identified 26 relevant legal bases across the Asia-Pacific.
- At the time of the review, Singapore has the most legal bases out of the 14 jurisdictions, with 18 relevant legal bases under its data protection laws.
- Legitimate interests as a relevant legal basis for processing personal data is present in 10 out of 14 jurisdictions.
Click here to access the full report from the FPF and its analysis of various jurisdictions in the Asia-Pacific.
China issues the Provisions on Regulating and Facilitating Cross-border Data Flow (Draft for Comments) (《规范和促进数据跨境流动规定（征求意见稿）》)
On 28 September 2023, the Cyberspace of China (the “CAC”) issued the Provisions on Regulating and Facilitating Cross-border Data Flow (Draft for Comments) (《规范和促进数据跨境流动规定（征求意见稿）》) (the draft “Cross-border Data Flow Provisions”). The draft Cross-Border Data Flow Provisions potentially loosens up certain requirements for the cross-border transfer of personal information (“PI”)
Under the Personal Information Protection Law (the “PIPL”), companies transferring PI out of China are required to fulfil one of the three channel options (the “Channel Option Requirement”)—apply for and pass the security assessment by the CAC, signing and filing the standard contract formulated by the CAC, or obtained the certification by an approved institution. In addition, data handlers who meet the threshold number or transfer important data per the Measures for Security Assessment of Data Cross-border Transfer must apply for security assessments.
The draft Cross-border Data Flow Provisions provide clarification on and exemptions to the Channel Option Requirement in certain situations. Among these situations, the following are worth noting:
Data that is not notified or publicly released as important data by authorities can be transferred without going through the security assessment.
PI not collected and produced within China, when being transferred outside China, is also exempted from the Channel Option Requirement.
The Channel Option Requirement is also exempted where cross-border PI transfers are necessary for performing contracts, to which the individual is a party, in relation to human resource management, or protecting life and property.
If it is anticipated to transfer PI of fewer than 10,000 individuals’ out of China within one year, the Channel Option Requirement is exempted. The consent of individuals, however, must be obtained when consent is the lawful basis for the cross-border transfer of PI.
Pilot free trade zones may explore establishing a negative list mechanism for the free flow of data, and only data that falls within this negative list is subject to the Channel Option Requirement.
The draft Cross-border Data Flow Provisions indicate China’s intent to ease cross-border data transfer restrictions. However, the impact of these draft Cross-border Data Flow Provisions is still subject to finalisation. The public consultation period of the draft Cross-border Data Flow Provisions has ended on 15 October 2023.
Click here for the full text of the draft Cross-border Data Flow Provisions (Chinese only).
China publishes the Administrative Measures of the People’s Bank of China for Data Security in Business Fields (Draft for Comments) (《中国人民银行业务领域数据安全管理办法（征求意见稿）》)
On 24 July 2023, the People’s Bank of China (the “PBOC”) issued the Administrative Measures of the People’s Bank of China for Data Security in Business Fields (Draft for Comments) (《中国人民银行业务领域数据安全管理办法（征求意见稿）》) (the draft “PBOC Measures”) to strengthen data security compliance. The draft PBOC Measures aim to implement the Data Security Law, and guide financial institutions that carry out data processing activities (the “Data Processor”) to fulfil data security protection obligations when conducting data activities related to the PBOC business fields.
The draft PBOC Measures require Data Processors to establish data and grading systems and procedures , including detailed requirements on how to classify and grade data. In addition, The draft PBOC Measures provides that the PBOC will organise the Data Processors in identifying important data and core data, filling and reporting content in important data catalogue, and the PBOC will then summarise and determine the specific catalogue of important data.
The draft PBOC Measures also stipulate whole-process data security management requirements, including adopting protection measures for data collection, storage, usage, processing, transmission, provision, disclosure and deletion activities. Requirements are also raised for risk monitoring, assessment, auditing and incident response. PBOC and its branches shall supervise the implementation and may conduct joint law enforcement checks with other authorities. Violations may lead to penalties and legal liabilities as required under the Data Security Law.
The public comments solicitation period has already ended on 24 August 2023.
Click here for the full text of the draft PBOC Measures (Chinese only).
China issues the Administrative Measures for Auditing of Personal Information Protection Compliance (Draft for Comments) (《个人信息保护合规审计管理办法（征求意见稿）》)
On 3 August 2023, the CAC released the draft Administrative Measures for Auditing of Personal Information Protection Compliance (Draft for Comments) (《个人信息保护合规审计管理办法（征求意见稿）》) for public comments (the draft “Audit Administrative Measures”). The draft Audit Administrative Measures aim to guide and regulate PI protection compliance auditing activities, improve the compliance level of PI processing activities, and protect PI rights and interests.
According to the draft Audit Administrative Measures, there are two types of PI compliance audit, one is carried out by data handlers of PI (the “PI handler”) regularly (the “Regular Audit”) and the other is requested by authorities performing PI protection duties to entrust professional institutions to conduct audits(the “Required Audit”) . For the Regular Audit the PI handler may carry out one audit every two or three years, for PI handler that processes more than one million persons’ PI, it shall carry out an audit each year. Required Audit may be triggered if the authorities finds that there is a substantial risk of the PI processing activities or if a PI security incident occurs in the course of performing its duties.
The draft Audit Administrative Measures specify requirements on the access permission of the entrusted professional institutions, the timeline, the submission requirements for the Required Audit, and the requirements on such professional institutions.
The draft Audit Administrative Measures also include an appendix providing key audit points for the PI protection compliance audit, covering consent, transparency, purpose limitation, data minimisation, security safeguards, user rights protection, automation decision-making risks, cross-border PI transfer assessments, emergency response capabilities and accountability mechanisms.
The public comments solicitation period has already ended on 2 September 2023. Click here for the full text of the draft Audit Administrative Measures (Chinese only).
China publishes the Regulations on Security Management of Facial Recognition Technology Application (Trial) (Draft for Comments) (《人脸识别技术应用安全管理规定（试行）（征求意见稿）》)
On 8 August 2023, the CAC released the draft Regulations on Security Management of Facial Recognition Technology Application (Draft for Comments) (《人脸识别技术应用安全管理规定（试行）（征求意见稿）》) (the draft “Facial Recognition Regulations”). The draft Facial Recognition Regulations apply to the provision of facial recognition technology product or services that use facial recognition technology to process facial information.
The draft Facial Recognition Regulations specify that facial recognition technology can only be used where the processing is for specific purpose and with sufficient necessities and strict protection measures. Acquiring specific consent (or written consent in accordance with applicable law), conducting impact assessments, adopting robust technical protections, and continuous risk-based security improvements are required for using facial recognition technology. The draft Facial Recognition Regulations prohibit unauthorised capture or analysis of facial information in private spaces or for sensitive personal attributes. Strict supervision is imposed on public use cases. Violations may lead to corrections, fines, and criminal liabilities.
According to the draft Facial Recognition Regulations, the CAC and related authorities shall strengthen oversight and guidance, accept social supervision, and deter unlawful acts, while facial recognition technology providers shall assist in inspections and compliance.
The public comments solicitation period has already ended on 7 September 2023.
Click here for the full text of the draft Facial Recognition Regulations (Chinese only).
Hong Kong’s Competition Commission investigates Midland Realty Holdings and two subsidiaries for anti-competitive practices
On 14 November 2023, the Hong Kong Competition Commission (“Commission”) announced it has commenced proceedings in the Competition Tribunal (“Tribunal”) against Midland Realty International Limited two subsidiaries, Hong Kong Property Services (Agency) Limited and Midlands Holdings Limited (collectively “Midland”), and a number of senior executives, for alleged collusion of minimum net commission rates.
Midland’s competitors Centaline Property Agency Limited and Ricacorp Properties Limited (collectively “Centaline”) were also implicated in the commission-fixing, but have been granted leniency by the Commission in exchange for cooperation under the Commission’s Leniency Policy for Undertakings Engaged in Cartel Conduct (Leniency Policy). Centaline has reportedly provided “substantial assistance” to the Commission’s investigation.
The Commission’s case is that between December 2022 and March 2023, Midland and Centaline engaged in serious anti-competitive conduct contrary to the First Conduct Rule of the Competition Ordinance. The alleged anti-competitive conduct took the form of an agreement to fix the minimum net commission rate for the sale of first-hand residential property in Hong Kong at 2%. The fixed commission rate impacted the price which purchases of said properties paid because it restricted the maximum level of rebate that agents could offer. It is the Commission’s case that fixing the net commission rate therefore amounts to price fixing and/or exchange of competitively sensitive information.
The Commission was first made aware of the alleged anti-competitive conduct in January 2023, when the media reported that four real estate agencies had, almost simultaneously, circulated internal memos directing their agents to observe a minimum commission rate of 2% in first-hand residential property transactions from 1 January 2023 onwards.
The Commission is seeking declarations that Midland and the individuals concerned had contravened the First Conduct Rule, as well as director disqualification orders against the individuals. The Commission is also seeking pecuniary penalties as well as orders for payments of its costs of the investigation and proceedings. Finally, should the Tribunal consider it appropriate, the Commissions seeks orders requiring Midland to adopt an effective compliance programme.
The investigation highlights the effectiveness of the Commission’s Leniency Policy. However, Centaline may still face legal claims from first-hand residential home buyers affected by the commission-fixing.
HKPC New Industrialisation announced key findings on the “Hong Kong AI Industry Development Study”
Hong Kong Productivity Council New Industrialisation has on 10 November announced the key findings of their “Hong Kong AI Industry Development Study” ( “Study”). The Study focused on the status of Hong Kong artificial intelligence (“AI”) industry development, domestic and overseas competition and local corporate utility. HKPC New Industrialisation provided nine recommendations for establishing Hong Kong as a well-recognised “International AI and Data Industry Development Hub”.
AI and data science is a stated focus of the HKSAR Government, named in the “2023 Policy Address”. The HKSAR Government will establish a “Digital Policy Office” to accelerate the construction of a high-performance computing (“HPC”) data centre, which is expected to be completed in 2024-2025. The HKSAR Government is also already applying AI technology in its public services.
The Study also collected data from 267 companies, 81% of which were SMEs, to understand the adoption of AI in Hong Kong. The results indicate that 41% of companies surveyed are or will be using AI. 32% already apply technology at multiple levels, including marketing (58%), operations (44%) and internal management (34%)
HKPC New Industrialisation’s recommendations focused on government-related activities which can help to promote adoption of AI in Hong Kong. These include improving infrastructure through HPC centre construction, data-friendly public policy and promoting government activities in the space to take the lead in AI development and adoption, as well as strengthening cooperation in the Greater Bay Area and with other nations. These recommendations come in response to the Study’s finding that 44% of enterprises cited difficulties sourcing processing power as a restriction on their growth, with 71% turning to cloud computing to make up the shortfall and 31% using HPC data centres in the Mainland while 26% turn to overseas data centres.
The second category of recommendations focus on accelerating industrialisation and encouraging the government to take the lead in promoting large-scale AI applications, empowering industries and developing an “International Financing Centre for AI Companies”. In particular HKPC New Industrialisation advocated the government cooperating with other public and private institutions to promote the “Specialist Technology Company Listing Rules” (Chapter 18C), launched by the Hong Kong Stock Exchange in March of this year. The Study found that 51% of large companies and 31% of all those surveyed indicated that they were currently profitable. Attracting AI companies to list in Hong Kong is an important way for such companies to raise capital and expand their operations.
The final group of recommendations focused on fostering an AI talent pool. This is in response to findings of the survey that 49% of companies experience difficulties recruiting talent, 41% of which described a lack of technical talent in Hong Kong. The recommendations include promoting education, encouraging universities and community colleges to incorporate AI education into their compulsory courses and secondary schools to integrate AI education. The second recommendation focused on attracting foreign talent by promoting Hong Kong as “The Most Internationally Liveable City for AI Talent”.
Click here for the key finding of the Study (Chinese only).
Hong Kong, China and Macao sign “Memorandum of Understanding (MOU) on Deepening Fintech Innovation Supervisory Cooperation in the Guangdong-Hong Kong-Macao Greater Bay Area”
On 9 November, the People’s Bank of China (“PBoC”), the Hong Kong Monetary Authority (“HKMA”) and the Monetary Authority of Macao (“AMCM”) together signed the “Memorandum of Understanding (MoU) on Deepening Fintech Innovation Supervisory Cooperation in the Guangdong-Hong Kong-Macao Greater Bay Area”. The parties’ stated aim in signing the MoU is to fully implement the Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”), issued by the Communist Party of China Central Committee and the State Council.
The three authorities have agreed to form a network of the PBoC’s Fintech Innovation Regulatory Facility, the HKMA’s Fintech Supervisory Sandbox and the AMCM’s Regulatory Requirements for Innovative Fintech Trials. The cooperation framework of the MoU is based on the principles of mutual trust, understanding and respect.
In a statement, the HKMA stated that the network “will continue to deepen fintech innovation co-operation, promote the development of digital finance in Guangdong, Hong Kong and Macao, enhance the quality and efficiency of financial services in the GBA, and strengthen financial support for the development of the GBA” and “deepen the synergy of fintech supervisory co-operation, with a view to facilitating the quality financial development of the GBA”.
PCPD publish an article on privacy and ethical risks of generative AI
The article by the Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) examines developments in artificial intelligence (“AI”) that can generate content, and points out the privacy and ethical challenges that need to be addressed when using this technology and the changing regulatory environment of AI.
The PCPD noted that Large Language Models (“LLM”), a popular type of generative AI model, leverages deep learning technology to analyse and learn from massive amounts of unstructured data without supervision. Such data is frequently comprised of publicly available text and content scraped from the internet which may also include personal data. Furthermore, concerns have been raised regarding output of AI chatbots as user conversations may become training data for the LLMs behind the AI chatbot particularly where users may have inadvertently disclosed personal data. Moreover, generative AI developers may encounter difficulties regarding the rights of data subjects to access and correct their personal data and in respect of data retention. Meanwhile, various stakeholders have flagged concerns regarding copyright issues, the ethical risks of inaccurate content and discriminatory and biased output in generative AI.
The regulatory landscape of AI is developing across the globe with diverging approaches on how AI should be best regulated to address the relevant risks. In this regard, the PCPD has issued guidance on the ethical development and use of AI in 2021 to help organisations develop and use AI systems in a privacy-friendly and ethical manner whilst complying with local privacy laws. Overall, the PCPD has called on stakeholders to ensure that core ethical principles such as fairness, transparency, and security are embedded in the development and use of AI.
The Hong Kong Government has allocated USD25.6 billion for fintech and AI
The Hong Kong government has displayed its commitment to investing in and promoting the development of the fintech sector by committing USD 25.6 billion for such purposes. The aim of the investment is to establish and position Hong Kong as a global fintech hub through innovation and technology. Concurrently, the government is also supporting homegrown startups through various initiatives and projects.
A key mandate for the Office for Attracting Strategic Enterprises (“OASES”) is to attract high-potential fintech companies to establish operations in Hong Kong. OASES offers bespoke one-stop services to facilitate the launch and expansion of these companies. These efforts have proved fruitful as OASES has already successfully drawn approximately 30 fintech and other strategic companies to Hong Kong.
The Hong Kong Applied Science and Technology Research Institute (ASTRI) is leveraging technologies like 5G and blockchain to expedite innovation and industrialisation of fintech. ASTRI’s goal is to help local companies gain competitive advantages and capture new opportunities in the dynamic fintech landscape.
Cyberport, Hong Kong’s digital technology hub, has been essential in facilitating the digitalisation of enterprises across various industries and adopting cloud and other technologies into their businesses. In doing so, such organisations can improve operational efficiencies, explore new ventures and capture developing opportunities in fields such as fintech.
Meanwhile, the government has identified cross-border data transfers as an area that it wants to facilitate to encourage the development of fintech solutions for banks and financial institutions.
Announcement of cross-border data verification platform between Shenzhen and Hong Kong
To facilitate and verify the creditability of cross-border data, it was announced at the Shenzhen International Fintech Festival that Hong Kong and Shenzhen plan to launch a platform to verify such data using blockchain. The platform will be built on distributed data transfer protocols and the mainland China blockchain platform FISCO BCOS. In this regard, the platform envisaged does not transfer or store cross-border data but will conduct a verification process based on the hash value of the data.
It is anticipated that the initial trials will be between Hong Kong and Shenzhen as part of the first phase once the platform becomes operational. This initiative exemplifies commitment in the GBA to data cooperation and follows on from the launch of a cross-border verification platform between Guangdong province and Macau.
Although the platform is expected to be first used in the financial industry, the platform has the potential to be applied beyond traditional industries and introduced to other sectors. Meanwhile, the Bank of China and the Bank of East Asia has been reported to be amongst the first batch of financial institutions that will use the platform.
China cracks down on theft of geographic data
Cybersecurity and its associated risks have been a reoccurring topic in recent years and has been an area of particular concern by Chinese authorities. The Ministry of State Security (“Ministry”) has recently launched a national inspection to address concerns regarding the theft of data from geographic information systems and potential threats to national security. In this connection, the Ministry reported that they uncovered cases where foreign geographic information system (“GIS”) software was used in pivotal industries and had collected and transferred data. Given the importance and potentially sensitive nature of such data, the Ministry is committed to eliminating security risks in respect of major data theft and data leaks.
The Ministry has also recognised that as information technology develops, GIS data will have increasing importance as a strategic data resource which has applications in various industries and parts of everyday life. For example, high-precision geographic data could potentially be analysed and used to recreate 3D maps in respect of transport systems, energy and the military.
Having regard to the above, companies and individuals have been encouraged to vet GIS software and adopt security measures to ensure that such software is secure and reliable before collecting and processing geographical information.
User Protection Measures strengthened by the Korea Communications Commission in relation to Failures on Digital Platform Services
On 5 October 2023, the KCC announced its intention to strengthen the measures to protect users when Digital Platform Services fail to provide digital services.
Specifically, the KCC plans to provide the following in due course:
- Create and issue guideline for detail responses, methods and procedures that organisations, both private and public, can adopt for user protection.
- Make amendments to the Telecommunications Business Act, such as mandating user notification when paid Digital Platform Services are suspended for 2 instead of 4 hours, and providing a dispute resolution framework for users to collectively and expediently seek economic remedies.
- Ensure that Digital Platform Services providers provide sufficient compensation for all forms of negligence and remedies for any damages caused by service failures.
Click here to read the official press release from the KCC.
PDPC and AI Verify Foundation – Unprecedented Generative AI Evaluation Sandbox
On 31 October 2023, the Infocomm Media Development Authority (“IMDA”) and AI Verify Foundation (“Foundation”) revealed a Generative AI Evaluation Sandbox (“Sandbox”). Together with this update, the IMDA and Foundation released a draft catalogue for Large Language Models Evaluations (“LLM Catalogue”). The Sandbox and LLM Catalogue provides industry players with the resources and environment to construct “evaluation tools and capabilities”. Besides ensuring that AI is built responsibly, safely and in a trustworthy manner, the Sandbox and LLM Catalogue encourage collaboration between model developers, application developers and third-party testers.
Briefly, the Sandbox and the LLM Catalogue seek to provide a common language for evaluating generative AI and a standard of evaluation benchmarks and methods. Furthermore, both will work hand in hand to assist in building a consolidated knowledge bank on how generative AI products should be tested.
Notable participants in the Sandbox include technology titans such as Amazon, Google, Microsoft, IBM, NVIDIA, as well as public authorities such as the Personal Data Protection Commission. All interested model developers, application developers and third-party testers are invited to participate in the Sandbox. Comments and feedback on the LLM Catalogue can be provided to [email protected].
Click here for the IMDA press release on the Sandbox.
Click here to view the LLM Catalogue.
MAS and IMDA – Shared Responsibility Framework for Phishing Scams
On 25 October 2023, the Monetary Authority of Singapore (“MAS”) and Infocomm Media Development Authority (“IMDA”) released a Shared Responsibility Framework for phishing scams (“SRF”). Among other things, the SRF imposes specific duties on financial institutions (“FIs”) and telecommunication companies (“Telcos”) to combat phishing scams and requires such entities to compensate victims where such duties are breached.
The measures provided by the MAS and IMDA include creating a draft Guidelines on SRF outlining the expectations and duties imposed on FIs and Telcos. These Guidelines also provide an operational workflow that the relevant account holder, FIs and Telcos should follow for seemingly authorised transactions to mitigate phishing scams.
The SPF comes on the back of various initiatives designed to address the increasing prevalence of scams today. The SPF complements efforts by public authorities such as the Singapore Police Force, and existing laws such as the Online Criminal Harms Act, and is based on three key policy objectives:
- To preserve confidence in digital payments and digital banking in Singapore.
- To strengthen relevant entities’ direct accountability to consumers on losses incurred from digital scams.
- To emphasise individuals’ responsibility to be vigilant against scams.
From now until 20 December 2023, members of the public and industry players may provide their comments on the proposed SRF to the MAS and IMDA.
Click here for the MAS press release on the proposed SRF.
Click here to view the draft Guidelines on SRF.
Click here to view and provide comments on the consultation paper on the proposed SRF.
Public Consultations by the PDPC regarding Proposed Advisory Guidelines for Children’s Personal Data and the Use of Personal Data in AI Recommendation and Decision Systems
On 18 and 19 July 2023, the PDPC released two public consultation papers regarding the proposed Advisory Guidelines on the Use of Personal Data in Artificial Intelligence (“AI”) Recommendation and Decision Systems (“Advisory Guidelines on AI Systems”) and the proposed Advisory Guidelines on the PDPA for Children’s Personal Data (“Advisory Guidelines on Children’s Personal Data”) respectively.
In the public consultation paper for the Advisory Guidelines on AI Systems, the PDPC invited comments regarding the following:
- The benefits enjoyed by organisations under the existing exceptions with the PDPA regarding use of personal data in the development of machine-learning AI models or systems.
- The satisfaction of the consent, notification and accountability obligations within the PDPA when personal data is collected by organisations for decision, recommendations or predictions by AI systems.
In the public consultation paper for the Advisory Guidelines on Children’s Personal Data, the PDPC highlighted its intention to revise the current Advisory Guidelines on the PDPA for Selected Topics to move all guidance on data activities for individuals under 21 years old to the new Advisory Guidelines on Children’s Personal Data. A total of 8 questions were tabled for public consultation, including examples of visual and audio aids provided by organisations to communicate with children, how organisations should minimise the collection, use and disclosure of children’s personal data, and whether organisations should inform the parents or guardians of children whose personal data is implicated in data breach incidents.
The public consultations for both Advisory Guidelines closed on 31 August 2023. The PDPC will likely provide both Advisory Guidelines during Q4 2023 or Q1 2024.
Click here to access the public consultation document on the proposed Advisory Guidelines on AI Systems.
Click here to access the public consultation document on the proposed Advisory Guidelines on Children’s Personal Data.
State Bank of Vietnam Joins the Regional Payment Connectivity Initiative
On 25 August 2023, the State Bank of Vietnam became the sixth central bank in the Association of Southeast Asian Nations (ASEAN) to officially join the Regional Payment Connectivity (RPC) initiative. The RPC Initiative, which builds on the Memorandum of Understanding on Cooperation in Regional Payment Connectivity, aims to promote payment connectivity between ASEAN countries through “faster, cheaper, more transparent, and more inclusive cross-border payments”. Types of cross-border payments include QR code payments and FAST payments. This development comes on the back of other related payment collaborations, such as various bilateral cross-border QR code payment linkages, between the ASEAN member nations.
Click here to read the official press release from the Monetary Authority of Singapore.
Law on Electronic Transactions introduced by the Ministry of Information and Communications
On 25 October 2023, the Ministry of Information and Communications (“MIC”) released a plan to implement the Law on Electronic Transactions (“LET”), which will come into force on 1 July 2024. The LET, which spans 8 Chapters and 53 Articles, will provide a comprehensive legal framework for facilitating the shift from physical to electronic translations in all sectors.
Click here to read the official press release from the MIC.