APAC TMC Update – Spring 2023

ASEAN

Central banks sign Memorandum of Understanding on Cooperation in Regional Payment Connectivity

On 14 November 2022, the central banks of Indonesia, Malaysia, Philippines, Singapore, and Thailand signed a Memorandum of Understanding on Cooperation in Regional Payment Connectivity (RPC) agreeing to enhance cooperation on regional payment connectivity. Collaboration between the countries on accelerating regional payment connectivity is in line with the ASEAN’s aspiration to enable fast, seamless and more affordable cross-border payments across the region.

China

China publishes the Implementation Rules on Personal Information Protection Certification

On 4 November 2022, the Cyberspace of China (“CAC”) and the State Administration for Marketing Regulation (“SAMR”) issued a notification on the Implementation Rules on Personal Information Protection Certification (“PIP Certification Rules”), which also took effect on the same day. The PIP Certification Rules provide a framework and general rules on the certification for personal information protection (“PIP Certification”), including both domestic processing of personal information (“PI”) and cross-border PI processing. Under Article 38 of Personal Information Protection Law (“PIPL”), certification by third-party institutions is one of the three channels to transfer PI out of China.

According to the PIP Certification Rules, all data handlers who apply for PIP Certification must comply with the Personal Information Security Specification (GB/T 35273), and data handlers who apply for PIP Certification for cross-border PI processing, shall also comply with the Specifications for Security Certification of Personal Information Cross-border Processing Activities (TC260-PG-20222A).

The PIP Certification Rules also provide the process of the certification, which includes document submission, technical verification, onsite review, evaluation and decision making, and post-certification supervision. Notably, the PIP Certification granted will be effective within three years after issuance. To extend the PIP Certification, data handlers must make extension applications to the institutions that grant PIP Certification six months before expiration.

Click here for the full text of the notification and here for the full text of the PIP Certification Rules (Chinese only).

China introduces the standard contract for cross-border personal information transfer

China has announced the publication of its standard contract for cross-border personal information transfer (“SCC”) and the measures on SCC (“SCC Provision”), which will be effective from 1 June 2023. As per Article 38 of the PIPL, signing an SCC is one of the three channels options to transfer personal information out of China.

Under the SCC Provision, entities that do not meet the security assessment threshold, i.e., those not processing 1,000,000 individuals' personal information or transferring accumulatively over 100,000 individuals' personal information or 10,000 individuals' sensitive personal information from January 1 of the preceding year, may transfer personal information from China by signing the SCC.

Entities intending to transfer personal information from China through the SCC must submit their signed SCCs and personal information protection impact assessment to the provincial CAC within 10 days from the effective date of the signed SCC.

The SCC Provision offers a six-month grace period, and entities that have already carried out cross-border personal information transfer before the SCC Provision's effectiveness must rectify before the expiration of this grace period.

Click here for the full text of the SCC Provision and the SCC (Chinese only)

China issues a list of Apps in breach of privacy protection laws and regulations

On 3 November 2022, the CAC issued a list of mobile applications (“Apps”) that are in breach of relevant laws and regulations in accordance with the PIPL and the Measures on Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information.

According to the CAC, after inspection and investigation, 55 Apps were found to have committed illegal unlawful acts such as forcing unnecessary access to phones, sharing precise location information to third parties without separate consent, offering no provision for privacy policy, and collecting and uploading contacts in excess of the scope of authorisation. As a penalty measure, these 55 Apps have been removed from App stores and other distribution channels.

Eighty Apps were found to have illegal acts such as frequent requests for unnecessary access, no prompt notification of the privacy policy at first launch of the App, no notification of relevant Personal Information ("PI") handling rules, the consent box for privacy policy checked by default, and difficulty in cancelling accounts. These 80 App operators were ordered to rectify these problems within one month, and if they fail to do so, their Apps will be removed from App stores and other distribution channels.

The CAC states it will continue to strengthen daily supervision in the field of PI protection, and improve law enforcement to safeguard the people’s legitimate rights and interests of their  PI.

Click here for the full text of the list.

China publishes draft of Opinions on Promoting the Standardised and Healthy Development of Cybersecurity Insurance for public comments

On 7 November 2022, the Ministry of Industry and Information Technology (“MIIT”) and the China Banking and Insurance Regulatory Commission (“CBIRC”) published the draft of Opinions on Promoting the Standardised and Healthy Development of Cybersecurity Insurance (“Draft Opinions”)  for public comments.

According to the Draft Opinions, cybersecurity insurance is emerging as insurance coverage for network security risks. It has become an increasingly important tool for diverting and preventing network security risks, and is playing an important role in promoting the construction of a socialised service system for network security.

The Draft Opinions provide several policy proposals to promote the development of cybersecurity insurance, including establishing and developing measures on cybersecurity insurance and insurance standards and specification, encouraging insurance companies to develop cybersecurity insurance policies to suit different scenarios, enhancing cybersecurity technology for the development of cybersecurity insurance, promoting cybersecurity insurance and cultivating an industry ecosystem for the development of cybersecurity insurance.

Click here to read the full text of the Draft Opinions (Chinese only).

Hong Kong

Ransomware attacks Fotomax database

On 1 November 2022, Fotomax (FE) Limited, a photo-finishing service chain operating in Hong Kong, filed a data breach notification with the Office of the Privacy Commissioner for Personal Data (“PCPD”), reporting that its online store database had been attacked by ransomware in October 2022. This breach reportedly affected a total of 544,862 members and 73,957 customers who had ordered and accepted services from Fotomax’s online store between 16 November 2020 and 26 October 2021.

After considering the factual circumstances and evidence collected regarding the incident, the PCPD found that Fotomax had serious deficiencies in risk awareness and personal data security measures.  The PCPD found that Fotomax:

• misjudged the risk of security vulnerability and failed to take action for system security, thereby exposing the personal data in the database to the risk of hacker’s attacks;
• failed to properly manage the information system which contained personal data, such as not having a robust patch management program, which resulted in the failure to patch the security vulnerability in a timely manner, thus allowing the hacker to successfully intrude into the system through the vulnerability and encrypt the database; and
• failed to implement multi-factor authentication for SSL VPN as recommended by the firewall manufacturer before the corporate-wide implementation of work-from-home arrangements, which would have prevented hackers from attacking the system by using acquired passwords.  

Pursuant to s.50(1) of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), the Commissioner served a notice to Fotomax directing it to take steps to remedy and prevent recurrence of the contravention. With scores of other organisations digitalising their operations, cyber attacks have become one of the main risks faced by most businesses, especially those offering online services and products. Organisations of all sizes can be victims of cyberattacks.

Click here for the media statement issued by the PCPD.

PCPD’s response to the use of drones

On 4 November 2022, the Privacy Commissioner for Personal Data ("PCPD") issued a media response on the use of drones in light of a recent case concerning a man arrested for a voyeurism-related offence. The case came to light after the suspect’s drone crashed and was handed over to police. Officers found over 20 secretly filmed videos of residents and hotel guests involved in intimate activities or in a state of undress. The officers are also investigating whether the videos have been leaked online.

This is the first voyeurism case involving the use of flying devices. The PCPD stated that the Personal Data (Privacy) Ordinance ("PDPO") regulates the collection, holding, processing and use of personal data. Generally, if an aerial camera is equipped with a video recording function to capture and store images or videos of other persons for the purpose of identifying the persons concerned, there is a chance that “personal data” will be collected, and the relevant data user must comply with data-protection principles and related requirements under the PDPO.

The PCPD emphasised that residences and hotel rooms are private spaces and places where members of the public have a reasonable expectation of privacy. If an aerial camera remains in front of the window of a home or room to capture images of people inside, this act may constitute a contravention of data-protection principles. Further information on the use of drones can be obtained from the PCPD’s Guidance on CCTV Surveillance and Use of Drones.

Click here for the media response issued by the PCPD. (Chinese version only)

Introduction of “Exit-Endorsement for Talent”

On 9 February 2023, the Government of the Hong Kong Special Administrative Region announced the introduction of a pilot scheme, “Exit-Endorsement for Talent” (“Scheme”), to facilitate GBA Mainland talents travelling to Hong Kong for exchanges and visits in the fields of scientific research, education, healthcare, law, business and others.

Under the Scheme, six categories of talents may apply to the Mainland authorities for the exit endorsements with a validity period of 5 years, 3 years or 1 year, and travel to and from Hong Kong multiple times within the validity period.  The categories include outstanding talents, scientific research talents, education talents, healthcare talents, legal talents and other talents.

If the holders of the Exit-Endorsement for Talent also meet the criteria for the “Pilot Scheme on Immigration Facilitation for Visitors Participating in Short-term Activities in Designated Sectors” as expanded by the Hong Kong Government earlier on 1 February 2023, they may also travel to Hong Kong to participate in designated short-term activities as visitors without the need to apply employment entry permits.

Click here for the press release issued by the Government of Hong Kong SAR.

Real Name Registration for SIM Cards

Pursuant to the Telecommunications (Registration of SIM Cards) Regulation (“Regulation”), any unregistered existing pre-paid SIM cards cannot be used after 23 February 2023.  The Regulation took effect on 1 September 2021 and implemented the Real-name Registration Programme for Subscriber Identification Module (SIM) Cards (“Real-name Registration Programme”).  The Real-name Registration Programme is intended to disable criminals from using anonymous and untraceable local pre-paid SIM cards to commit crimes and allow for more effective investigation by law enforcement agencies

All new SIM cards, including SIM service plan services and pre-paid SIM cards issued from 1 March 2022 onwards will need to complete real name registration before activation.  Under the transitional arrangement provided under the Regulation, existing pre-paid SIM card users are required to complete real-name registration with respective operators on or before 23 February 2023. From 24 February 2023 onwards, unregistered PPS cards will be deactivated.

Click here for the statement from the Office of the Communications Authority.

Proposed Regulatory Framework for Crypto-assets and Stablecoins

With the rapid growth of virtual asset technologies, Hong Kong financial regulators including the Securities and Futures Commission and Hong Kong Monetary Authority (“HKMA”) have set out to strike a reasonable balance between promoting financial innovation and maintaining financial stability.

On 31 January 2023, the HKMA published a Conclusion of Discussion Paper on Crypto-assets and Stablecoins (“Conclusion Paper”) summarising the feedback it received from the public and industry in relation to the HKMA’s consultation paper issued on 12 January 2022.

The HKMA have given a preliminary indication that they intend to develop an agile, risk-based regulatory regime for stablecoins.  The current focus is on payment related stablecoins such as stablecoins that purport to reference to one or more fiat currencies as these types of stablecoins are more likely to be used in payments and have linkages with the traditional financial system.  That said, it is likely that the proposed regime will give the HKMA flexibility to declare other types of stablecoin structures to be subject to the regulatory regime. 

A mandatory licensing regime has been proposed to regulate key activities in respect of stablecoins including governance, issuance, stabilisation and wallets.  It is anticipated that a more detailed consultation will follow and proposed draft legislation will be introduced in 2023 or 2024.

Click here for the Conclusion Paper issued by HKMA.

India

New draft released of Digital Personal Data Protection Bill 2022

The Ministry of Electronics and Information Technology has released a draft of the Digital Personal Data Protection Bill 2022 after the withdrawal of the previous Personal Data Protection Bill 2019. Some key provisions of this Bill include:

• the obligations of a data fiduciary (i.e. any person who alone or in conjunction with other persons determines the purpose and means of processing personal data);
• the rights and duties of a data principal (i.e. the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child);
• the requirements for cross-border data transfers; and
• the compliance framework in India, including the presence of alternate dispute resolution provisions and voluntary undertakings, and the financial penalty amounts for non-compliance as specified in Schedule 1 (which is limited in each instance).

The Bill can be accessed here.

New Zealand

Big online platforms required to pay “fair price” for local news content

Hoping to incentivise digital platforms to reach high quality voluntary deals with local news outlets, the New Zealand government will require “big online digital companies” to pay a fair price to media companies for local news content hosted or shared on their platforms. It is said that the legislation would be designed as a backstop, which will be utilised if such high quality voluntary agreements are not reached.

The Ministers’ release on this can be accessed here.

Singapore

MAS publishes consultation papers on measures to reduce risks to consumers from cryptocurrency trading and enhance standards of stablecoin-related activities

On 26 October 2022, the Monetary Authority of Singapore ("MAS") published two consultation papers proposing regulatory measures to reduce the risk of consumer harm from cryptocurrency trading and to support the development of stablecoins as a credible medium of exchange in the digital asset ecosystem. These measures will be part of the Payment Services Act. The proposed measures on cryptocurrency trading cover three broad areas: consumer access, business conduct and technology risks. Furthermore, MAS will regulate the issuance of stablecoins pegged to a single currency (“SCS”) where the value of SCS in circulation exceeds SGD 5 million.

Sources: MAS proposes measures to reduce risks to consumers from cryptocurrency trading and enhance standards of stablecoin-related activities

CSA launches internet hygiene portal as one-stop cybersecurity platform for enterprises

On 19 October 2022, the Cyber Security Agency of Singapore ("CSA") launched the Internet Hygiene Portal ("IHP"), an initiative that serves as a one-stop platform for enterprises to easily access resources and self-assessment tools to adopt best practices for internet security. The IHP also published an Internet Hygiene Rating table with a simplified view of each digital platform’s internet hygiene, aimed at helping consumers make informed choices when making digital transactions. As a start, the portal will feature ten popular enterprises in the e-commerce sector. 

NFTs recognised as legal property in Singapore

In Janesh s/o Rajkumar v Unknown Person (“CHEFPIERRE”) [2022] SGHC 264, the Singapore High Court granted a worldwide freezing injunction preventing the sale or transfer of non-fungible tokens (“NFT”). In granting the injunction, the High Court recognised that NFTs could give rise to proprietary rights, which could be protected by an injunction, setting a precedent for the recognition of NFTs as legal property in Singapore. However, as the judgment was granted in the context of an urgent ex parte injunction, the Court expressly stated that a different conclusion could be reached with the benefit of full arguments in the issue.

In finding that NFTs could be considered legal property, the High Court reasoned that NFTs were not merely information, but rather encoded data that provides instructions to computers, allowing the “owner” of a NFT exclusive control over its transfer. Furthermore, the High Court found that NFTs were legal property consistent with the definition in National Provincial Bank Ltd v Ainsworth [1965] AC 1175 of being “definable, identifiable by third parties, capable in its nature of assumption by third parties, and have some degree of permanence or stability”.

Online Safety Bill passed

On 9 November 2022, the Online Safety (Miscellaneous Amendments) Bill was passed and is expected to take effect from early 2023. Under the Bill, the Broadcasting Act 1994 and the Electronic Transactions Act 2010 are amended to regulate the providers of online communication services (“OCSs”). The provisions of the Bill have since come into effect under the Broadcasting Act 1994 and Electronic Transactions Act 2010 on 1 February 2023.

The amendments regulate OCSs in two parts. First, the Infocomm Media Development Authority (“IMDA”) can designate OCSs with significant reach or impact in Singapore as Regulated Online Communication Services (“ROCSs”). ROCSs will be required to comply with the relevant Code of Practices. Second, the IMDA will be able to issue directions to deal with egregious content, which includes content advocating suicide or self-harm, physical or sexual violence and terrorism; content depicting child sexual exploitation; content posing a public health risk in Singapore; and content likely to cause racial and religious disharmony in Singapore. Such directions include requiring: (a) OCSs to disable the access of Singapore users to the content on the service; (b) OCSs to ensure that accounts communicating the specified egregious content cannot continue to communicate to Singapore users; and/or (c) requiring Internet access service providers to block access by Singapore users to the non-compliant OCS.