APAC TMC Update – Autumn 2022

Asia-Pacific

China

Measures on Security Assessment of Cross-border Data Transfer take effect

On 1 September 2022, the Measures on Security Assessment of Cross-border Data Transfer (Security Assessment Measures) became effective. The Security Assessment Measures provide detailed requirements for a security assessment, one of the three channel options to export personal information out of China under Article 38 of the Personal Information Protection Law (PIPL).

The Security Assessment Measures prescribe who is applicable for a security assessment. Entities who meet the following requirement are required to undergo a security assessment for the exportation of data:

  • exportation of important data by data handlers;
  • exportation of personal information by critical information infrastructure operators (CIIOs);
  • exportation of personal information by data handlers that process over 1,000,000 natural persons’ personal information;
  • exportation of personal information by data handlers that export accumulatively over 100,000 natural persons’ personal information from 1 January of the preceding year;
  • exportation of personal information by data handlers that export accumulatively over 10,000 natural persons’ sensitive personal information from 1 January of the preceding year.

The Security Assessment Measures also prescribe the procedures to apply for security assessment, the aspects to be considered during the assessment, timeline of the assessment, re-application and renewal, etc.

Upon taking effect on 1 September 2022, the Security Assessment Measures provide a six-month grace period (i.e. before 1 March 2023) for entities who carried out cross-border data transfer activities before 1 September 2022 to undertake rectification in order to comply with the measures.

Click here for the full text (Chinese only) of the Security Assessment Measures and here for a Law-Now article discussing the Chinese regulations on cross-border transfer of personal information in a comprehensive way.

Draft amendments to Cybersecurity Law

For the first time since its entry into force on 1 June 2017, draft amendments have been proposed for the PRC Cybersecurity Law (CSL). The CSL regulates network operators in China. The term “network operator” is defined broadly and captures entities operating networks, websites or information processing systems or providing network services in China. According to the CSL, all network operators in China must follow the requirements on cybersecurity protection, content supervision and data protection as prescribed under the CSL.

The draft amendments focus on the legal liabilities for breach of the CSL. The draft amendments make adjustments on the administrative penalties for the breach of general requirements for network operation security, unifying the types of penalties measures and the range of the penalty amounts. The draft also adjusts the penalties on CIIOs and the penalties upon violation of content supervision requirements. Additionally, the draft clarifies that penalties against infringement of personal information rights shall be made in accordance with relevant laws and regulations, such as the PIPL.

It is worth noting that the draft amendments significantly increase penalties. For extraordinarily severe violation of general requirements for network operation security, the penalties range from RMB 1 million to RMB 50 million or 5% of the previous year’s turnover.

Click here for the full text (Chinese only) of the draft amendments to the CSL.

Developments of sector-specific cybersecurity requirements

Three sector regulators have issued cybersecurity administrative provisions respectively.

  1. Medical Sector: The National Health Commission, the National Administration of Traditional Chinese Medicine and the National Bureau of Disease Control and Prevention promulgated the Administrative Measures for Cybersecurity of Medical and Health Institutions on 8 August 2022, which became effective on the same day.
  2. Securities Sector: On 29 April 2022, the Securities Regulatory Commission (SRC) issued the draft Administrative Measures for Cybersecurity in Securities and Futures Industries.
  3. Electricity Sector: The National Energy Administration issued the draft Administrative Measures for Cybersecurity in Electric Power Industry on 12 June 2022.

The above sector-specific cybersecurity administrative measures share one common ground – they set out more detailed and implementable cybersecurity requirements than the ones listed under the CSL, including detailed requirements of the multi-level protection scheme, specified obligations regarding security protection, annual assessment and reporting obligations. These measures not only touch the requirements under the CSL, but also the PIPL and even the DSL, in a comprehensive way. Since the CSL does not restrict the authority of cybersecurity supervision to a particular department, the issuance of these measures indicates that there may be more sector-specific measures to regulate cybersecurity protection.

Click here (Chinese only) for full text of the medical sector administrative measures, here (Chinese only) for draft measures of the securities sector, and here (Chinese only) for draft measures of the electricity sector.

China promulgates the Anti-telecom and Online Fraud Law

Promulgated on 2 September 2022, the Anti-telecom and Online Fraud Law will become effective on 1 December 2022. This is the first ever special legislation to combat telecom and online fraud.

The law sets forth a series of requirements and measures for the prevention, containment and punishment of telecom and online fraud activities. In particular, telecommunications business operators, financial institutions, and Internet service providers are required to strictly follow the main obligations set forth in this law and to establish a comprehensive anti-telecommunication fraud internal control mechanism, security assessment and responsibility delegating mechanism.

According to this law, financial institutions must establish due diligence systems and strictly perform anti-money laundering and anti-fraud duties. The law also prescribes comprehensive requirements for telecommunications business operators and Internet service providers to follow, including to establish management mechanisms to prevent personal information from being used for telecom and online fraud, properly manage the handling of personal information, and strengthen the protection of personal information; provide alerts on the prevention of telecom and online fraud in relevant business activities; timely alert users about the new tactics of telecom and online fraud in relevant areas, and establish a monitoring and mitigating mechanism to ensure a timely response to various types of fraud activities.

Click here (Chinese only) for full text of the Anti-telecom and Online Fraud Law.

Administrative Provisions on Internet Pop-up Push Services issued

On 9 September 2022, the Cyber Administration of China (CAC), the Ministry of Industry and Information Technology and the State Administration for Market Regulation promulgated the Administrative Provisions on Internet Pop-up Push Services, which took effect on 30 September 2022.

The provisions state that an Internet pop-up information push service refers to information push services provided to Internet users in the form of pop-up message windows through operating systems, application software, websites, etc. Internet pop-up information push service providers refer to organisations or individuals who provide Internet pop-up information push services.

According to the provisions, Internet pop-up information push service providers should implement information content management and establish a sound management system for information content audit, ecological governance, data security and personal information protection, as well as protection of minors.

Click here (Chinese only) for full text of the administrative provisions.

Draft provisions on cybersecurity administrative enforcement procedures

On 8 September 2022, the Cyber Administration of China (CAC) issued the draft Provisions on Administrative Enforcement Procedures of Cyberspace Administration Departments, and are soliciting for public comments.

The Draft Enforcement Provisions regulate the procedures for administrative enforcement by the national CAC and local offices of the CAC in the areas of jurisdiction, case initiation, investigation and evidence collection, hearings and talks, enforcement and case closing.

In particular, the Draft Enforcement Provisions provide that a municipal level CAC has the jurisdiction on penalties cases for Internet information content, cybersecurity, data security and personal information protection within the corresponding municipal area while provincial and national CACs are responsible for major and complicated cases in a province or the country respectively. Once the Draft Enforcement Provisions are finalised and effective, with the clear delegation of power, it is anticipated that there would be more active enforcement actions by the CAC in the future.

Click here (Chinese only) for full text of the Enforcement Provisions.

Hong Kong

Update to Hong Kong’s Copyright Regime

On 27 May 2022, the Copyright (Amendment) Bill 2022 was introduced into the Legislative Council for first and second readings on 8 June 2022. Although there is no concrete timeline as to when the new amendments will come into effect, this is a welcome development to strengthen copyright protection in Hong Kong.

The key legislative proposals are highlighted below:

  • To give copyright owners the exclusive right to communicate their work to the public electronically, including via streaming.
  • To introduce criminal sanctions against infringements relating to this new communication right. It essentially includes those who make unauthorized communication of copyright works to the public, (i) for the purpose of, or in the course of any trade or business that consists of communicating works to the public for profit or reward; or (ii) to such an extent as to affect prejudicially the copyright owners.
  • To revise and expand the scope of copyright exceptions, including (i) to allow use of copyright works for the education sector, libraries, museums, archives, temporary reproduction of copyright works by online service providers (“OSPs”), and media shifting; and (ii) to introduce new fair dealings exceptions.
  • To introduce “safe harbour” provisions to provide incentives for OSPs to cooperate with copyright owners in combating online piracy and to provide reasonable protections for their acts.
  • To introduce two additional statutory factors for the court to consider when accessing whether to award additional damages to copyright owners in civil cases involving copyright infringements, given the challenges in providing evidence in the digital environment, namely, (i) the unreasonable conduct of an infringer after having been informed of the infringement; and (ii) the likelihood of widespread circulation of infringing copies as a result of the infringement.

Click here to read the press release for more details.

Consultation Paper on cyber security legislation published

The COVID-19 pandemic has presented various challenges and compelled businesses to accelerate their digital transformation to sustain and grow their businesses. With this transformation, an increasing number of businesses have been subject to cyber attacks. In response, the Hong Kong government has set out to strengthen IT infrastructure, defence and incident response capabilities and raise awareness about cyber security.

On 20 July 2022, the Cybercrime Sub-committee of the Law Reform Commission published a Consultation Paper on Cyber-Dependent Crimes and Jurisdictional Issues with the goal of introducing a bespoke cybercrime legislation. Currently, Hong Kong does not have legislation applicable to cybercrime specifically where offences are covered by various legislation.

Having considered the laws of various jurisdictions, the committee formulated various recommendations, including the following:

  • The introduction of five categories of cybercrimes to be tackled by the new legislation, covering (i) illegal access to programs or data; (ii) illegal interception of computer data; (iii) illegal interference of computer data; (iv) illegal interference of computer systems; and (v) making available or possessing a device or data for committing a crime (“Cybercrime Offences”).
  • The nature of cybercrime justifies the extra-territorial application of Hong Kong law. Hong Kong courts should have jurisdiction in cases where there are connections with Hong Kong. For example, Hong Kong courts may assume jurisdiction if the perpetrator’s act has caused or may cause serious damage to Hong Kong.
  • Given the severity of the potential harm caused by cybercrime, each of the proposed Cybercrime Offences would have two maximum sentences. For summary convictions, a penalty of 2 years imprisonment, and 14 years imprisonment for convictions on indictment.

Click here for the consultation paper issued by the Law Reform Commission of Hong Kong.

Data breach incident of Shangri-La Group reported

On 29 September 2022, the Office of the Privacy Commissioner for Personal Data (“PCPD”) received a data breach notification from Shangri-La Asia Limited (“Shangri-La”). In the notification, Shangri-La informed the PCPD that eight of its hotels had suffered cyber attacks. Shangri-La’s internal investigation found that professional cyber attackers had bypassed its IT security monitoring system in or around May and July 2022 and illegally gained access to the data of guests.

The PCPD estimated that the personal information of more than 290,000 guests may have been affected. In this regard, the PCPD commented that it was disappointed that it took Shangri-La more than two months after it had become aware of the incident to inform its customers and formally notify the PCPD.

In light of the nature of the incident and the number of data subjects involved, the PCPD has publicly stated that it has commenced a compliance check on the incident.

Click here for the media statement issued by the PCPD.

Policy statement on the development of virtual assets in Hong Kong

On 31 October 2022, the Financial Services and the Treasury Bureau (“FSTB”) issued a policy statement on the development of virtual assets (“VA”) in Hong Kong.

The FSTB recognised the importance and potential of VA businesses and is working with the financial regulators to promote and develop the VA sector. In this regard, the FSTB aims to promote the development of financial services across the whole VA value chain covering issuance of VA, tokenisation, trading and settlement platforms, financing and asset management and custody.

Having regard to the evolving nature and innovative approach of VA, the FSTB will generally adopt a “same activity, same risks, same regulation” principle. In terms of regulation, the FSTB are looking to put together a licensing regime for VA Service Providers. The proposed regime will align requirements for VA Exchanges in terms of AML/CTF and investor protection to those currently applicable to traditional financial institutions. Under this new regime, financial intermediaries and banks will be able to partner with licensed VA Exchanges and offer clients VA dealing services provided that relevant regulatory conditions are met.

Meanwhile, the FSTB recognised that VAs have unique characteristics that are different from traditional assets and their features may not necessarily fit within the current private property law categories or definitions in Hong Kong. To facilitate adoption and enhance investor protection, the Hong Kong government is open to reviewing the position on property rights for tokenised assets and the legality of smart contracts.

Click here for the policy statement issued by the FSTB.

Indonesia

Requirement to register as Electronic System Operator in Indonesia

As required under the Ministry of Communications and Information (MOCI) Regulation No. 5 of 2020 (Reg 5/2020), any private Electronic System Operator (ESO) operating in Indonesia must register itself and its electronic system with the MOCI.

The scope of ESOs required to register is drafted broadly and includes foreign ESOs located outside of Indonesia or those that do not have an entity in Indonesia. In practical terms, this could mean that any website that provides goods or services to residents of Indonesia, where transactions exceed 1,000 a year, must register under Reg 5/2020.

Failure to register may result in a written warning, administrative fine and/or the blocking of access to the website. In terms of practical enforcement, the MOCI blocked access to several international websites, including Yahoo, PayPal, and gaming websites such as Steam, Epic Games, and Origin, on 20 July 2022, which was the date the MOCI expressed its intention to enforce Reg 5/2020. Most, if not all, of the websites blocked are now registered under Reg 5/2020.

Personal Data Protection Bill ratified on 20 September 2022

After years of deliberation and amendments, the Personal Data Protection Bill has been ratified on 20 September 2022 (PDP Act). As Indonesia’s first comprehensive set of rules on personal data protection, the PDP Act is a welcomed move amid the spate of data security breaches in Indonesia, including breaches relating to government firms and institutions.

The PDP Act takes a measured approach in requiring an organisation’s compliance with its requirements. Organisations will have two years from the date of implementation to comply with the requirements under the PDP Act.

Singapore

Consolidation of gambling laws: new risk-calibrated approach to regulating gambling in Singapore

Various gambling laws in Singapore were consolidated into the Gambling Control Act 2022 (GCA) that came into force on 1 August 2022, and allows the Singapore Government to stay ahead of technological and gambling trends and take a more holistic and coherent approach to gambling policies. A new gambling regulator, the Gambling Regulatory Authority of Singapore (GRA) (reconstituted from the Casino Regulatory Authority or CRA) was set up under the Gambling Regulatory Authority of Singapore Act 2022, replacing the Casino Regulatory Authority as the regulatory authority to regulate and protect Singaporeans from the harmful effects of gambling.

This move comes amid the consolidation of the various gambling laws in Singapore.

The GCA provides for the suppression of all forms of unlawful gambling and also the regulation of authorised gambling services outside of casinos, repealing older legislation such as the Betting Act 1960, the Common Gaming Houses Act 1961, the Private Lotteries Act 2011 and the Remote Gambling Act 2014. The GCA also authorises the Gambling Regulatory Authority to direct the Infocomm Media Development Authority (IMDA) to issue an ‘access blocking order’ to an internet service provider, where the Authority is satisfied that the service provider has been providing a remote gambling service in contravention of the GCA.

The GCA also takes a risk-calibrated approach to regulating gambling, providing for two broad types of licensing regimes – (1) the gambling operator licence for gambling services such as betting and lottery, gaming machine rooms, and gambling in private establishments; and (2) class licence for lower-risk gambling products, such as business promotion lucky draws, where operators do not need to be individually licensed but must meet the requirements prescribed under the class licence before offering the relevant activity.

Proposed amendments issued to protect against harmful online content in Singapore

On 3 October 2022, the Singapore government introduced proposed amendments to the Broadcasting Act 1994 (BA) through the Online Safety (Miscellaneous Amendments) Bill to regulate Online Communication Services (OCSs). OCSs are electronic services, which means an electronic service that is, or a part of an electronic service having the characteristics specified in the Fourth Schedule. (Currently, social media services are specified within the Fourth Schedule). The proposed amendments regulate OCSs in two key parts.

Firstly, OCSs with significant reach or impact in Singapore may be designated by the IMDA as Regulated Online Communication Services (ROCSs). ROCSs will be required to comply with the relevant Code of Practices issued to mitigate the risks of danger to Singapore users from exposure to harmful content, and provide their users with accountability on such measures. Failure of the ROC providers to comply with such Code of Practices may result in a financial penalty or orders to take steps to remedy the failure. It is an offence to fail to comply with direction to remedy a failure. In this case, the ROC provider will be liable to a fine upon conviction.

Secondly, the IMDA may issue directions to deal with egregious content such as content that advocates or instructs about suicide or self-harm, or violence or cruelty to, physical abuse of or acts of torture or other infliction of serious physical harm on, human beings. (Refer to the proposed section 45D of the BA for the full definition). Such directions include – (a) requiring OCSs to disable access by Singapore users to the content on the service; (b) requiring OCSs to ensure that a specified account communicating the specified egregious content cannot continue to communicate to Singapore users; and/or (c) requiring Internet access service providers to block access by Singapore users to the non-compliant OCS where an OCS provider fails to comply with the directions issued by the IMDA. It is an offence not to comply with such directions. In this case, the OCS provider will be liable to a fine upon conviction.

The Second Reading of the Bill is slated for November 2022.

Organisations face higher financial penalties for breaches of the PDPA from 1 October 2022

Enhanced financial penalties for breaches of the Singapore data protection law (the Personal Data Protection Act 2012 or PDPA) will take effect from 1 October 2022, and includes the higher amount of the following –

  • SGD 1million; or
  • a maximum of 10% of annual turnover for organisations with an annual turnover that exceeds SGD 10 million.

These changes arose against the backdrop of the amendments to the PDPA that took place in 2020 where the enhanced financial penalty was first introduced, and were due to take effect at a later date. To summarise, the enhancement increases the financial penalty for organisations with a turnover that exceeds SGD 10 million, by allowing the Singapore Personal Data Protection Commission (PDPC) to impose a penalty of up to 10% of the local annual turnover of an organisation.

While the enhanced financial penalty would mostly affect organisations with a local annual turnover in excess of SGD 10 million, it is likely that the financial penalties levied may increase across the board, regardless of whether the organisation crosses the annual turnover threshold.

Therefore, organisations that are not compliant (or not fully compliant) with the PDPA, face a higher risk and should be incentivised to immediately review their compliance to minimise the risk of increased penalties.

Vietnam

Vietnam issues decree implementing provisions of Cybersecurity Law

The Law on Cybersecurity, Decree No. 53/2022/ND-CP (Decree 53/2022) was issued by the Vietnamese Government on 15 August 2022, and will become fully effective on 1 October 2022.

Some key matters to note arising from Decree 53/2022 include the prescribing of a list of important national security information systems, where the owners are required to, among others, provide certain prescribed information to the relevant government authorities and comply with prescribed security measures. The Decree empowers the authorities to require companies to take certain measures (e.g. deleting data, providing authorities with data, and suspension of domain names) in circumstances, such as violations of law or infringements of national security, social order and safety.

Additionally, domestic companies and certain foreign companies will have to store specific types of data in Vietnam for a minimum period of 24 months, and system logs relating to violations of the law must be stored for at least 12 months. These foreign companies are also required to set up a branch or representative office in Vietnam. Note that the application of such requirements on foreign companies is limited. Specific conditions would need to apply before foreign companies are required to comply with the requirement.

See our article on Decree 53/2022 for more information.

New Cinema Law in Vietnam

On 15 June 2022, the new Cinema Law was passed by the National Assembly of Vietnam. The Cinema Law will take effect on 1 January 2023, replacing an older legislation enacted in 2006.

In addition to clarifying requirements relating to film content and production, the new law also sets out the obligations applicable to the dissemination of a film in cyberspace, such as the requirement to classify films according to government standards and to notify the Ministry of Culture, Sports and Tourism of the film classifications before disseminating the films in cyberspace.