APAC TMC Update – Summer 2023

ASEAN

ASEAN and EU release joint guide to ASEAN MCCs and EU SCCs

On 24 May 2023, the Association of Southeast Asian Nations (ASEAN) and European Union (EU) released a Joint Guide to the ASEAN Model Contractual Clauses (MCCs) and EU Standard Contractual Clauses (SCCs) to assist businesses operating in ASEAN and the EU with their compliance with applicable laws for international data transfers in both regions.

The ASEAN MCCs are a baseline set of contractual clauses that can be adopted by data exporters and importers in all ASEAN member states and may be modified or supplemented to the extent that they are consistent with existing ASEAN member state laws. The EU SCCs may be relied on by data exporters transferring personal data outside of the European Economic Area (EAA) without the need for prior authorisation from a data protection authority as long as they are not modified, though additional clauses may be added to provide safeguards to the extent that they are consistent with the EU SCCs and do not prejudice individual rights. 

The Guide identifies similarities and differences between the ASEAN MCCs and EU SCCs under specific topics for controller-to-controller transfers and controller-to-processor transfers and highlights optional clauses, which businesses can adopt in their contractual negotiations with counterparties. 

An Implementation Guide will be released in due course listing best practices that businesses can adopt to meet the requirement of both sets of contractual clauses.

Click here for a copy of the Guide.

China

China issues Guidelines for Filing the Standard Contract for Cross-border Personal Information Transfer

On 30 May 2023, the Cyberspace Administration of China (CAC) issued Guidelines for Filing the Standard Contract for the Cross-border Personal Information Transfer (First Edition). These Guidelines detail the process and timeline for filing, and specify the documents required for the application. A significant part of the guidelines is the Personal Information Protection Impact Assessment Report (PIA Report) template, which provides a structured approach on how to carry out the assessment and draft such a report. Based on this template, the PIA Report must consist of four sections (i.e. an introduction to the assessment process, a comprehensive description of data export activities, an impact evaluation of intended exports, and a final assessment based on the evaluations and necessary rectifications). According to the Guidelines, the PIA report should be completed within three months before filing and remain largely unchanged until then.

See here the full text of the Guidelines (only Chinese text available).

China issues Interim Administrative Measures for Generative Artificial Intelligence Services

On 10 July 2023, the CAC and eight other ministries jointly issued Interim Administrative Measures for Generative Artificial Intelligence Services. These AIGC Measures will take effect on 15 August 2023.

The AIGC Measures regulate the development and use of generative AI products in China. According to the AIGC Measures, generative artificial intelligence refers to the technology that generates content such as text, images, sound, video, and code based on algorithms, models, and rules. Under the AIGC Measures, providers of generative AI services should bear responsibility as network information content producers and fulfil obligations for network information security. They should take measures to prevent discriminative content generation and use training data legally. They are required to take disposal measures against illegal content and report to authorities. A complaint and reporting mechanism should also be established to handle public complaints and reports and provide feedback on the handling.

Notably, the AIGC Measures state that if generative AI services are provided to the People's Republic of China from abroad that do not comply with the laws, administrative regulations and the provisions of AIGC Measures, the CAC will notify relevant agencies to take technological measures and other necessary measures.

See here the full text of the AIGC Measures (only Chinese text available).

China introduces Interim Regulations for Unmanned Aerial Vehicle (UAV) Flight Management

On 28 June, the Chinese government announced the Interim Regulations on the Management of Unmanned Aerial Vehicle (UAV) Flights, which will come into effect on 1 January 2024.

These UAV Regulations focus on enhancing the regulatory framework for UAV and managing their entire lifecycle, from design and production to operation and use through a classification-based approach. UAVs are classified into micro, light, small, medium, and large categories based on performance indicators.

The UAV Regulations establish a product identification code system and require real-name registration of drone owners while also defining requirements for operators in designing, manufacturing, importing, flying, repairing, assembling of different categories of UAEs.

Moreover, the UAV Regulations impose strict management of flight activities, define controlled airspace, and establish a system for flight activity applications and specify norms for conducting flight operations.

See here the full text of the UAV Regulations (only Chinese text available).

China’s Internet Advertisement Administration Measures became effective

On 1 May 2023, the Internet Advertising Administration Measures came into effect. These measures are applicable to commercial advertising activities that utilise internet mediums such as websites, webpages, and internet applications to directly or indirectly promote goods or services through text, images, audio, video, or other forms within the territory of China.

These Internet Administration Measures reiterate certain requirements for advertising as outlined in the Advertising Law, including the prohibition of tobacco advertising and the need for prior examination of medical, pharmaceutical, medical devices, pesticides, veterinary drugs, dietary supplement, and special medical use formula food advertisements. These measures also introduce new requirements such as internet advertisements in the form of pop-up windows, which must include a distinct close icon to ensure easy closure with a single click. Advertisers who publish internet advertisements by themselves are also required to establish advertising archives and ensure timely updates.

See here the full text of the Internet Administrative Measures (only Chinese text available).

China releases revised Radio Frequency Allocation Regulation, facilitating 5G/6G development

On 27 June 2023, the Ministry of Industry and Information Technology (MIIT) released the revised Radio Frequency Allocation Regulations, which took effect on 1 July.

According to the MIIT, this revision allows the ministry to become a global leader in allocating the entire or partial frequency bands of 6425-7125MHz for International Mobile Telecommunications (IMT), which will promote global or regional harmonisation of 5G/6G spectrum resources.

See here the full text of the revised Frequency Allocation Regulation (only Chinese text available)

Hong Kong

PCPD’s issuance of guidance on data breach handling and data breach notifications

On 30 June 2023, the Privacy Commissioner for Personal Data (PCPD) issued a Guidance on Data Breach Handling and Data Breach Notifications. Considering the increasing data breach incidents reported to the PCPD, this Guidance was issued to assist organisations in preparing themselves in the event of a data breach.

In the Guidance, the PCPD identifies common causes of data breaches in Hong Kong, which include cyberattacks, system misconfigurations, loss of physical documents or portable devices, improper or wrongful disposal of personal data, inadvertent disclosure by email or by post, and staff negligence or misconduct. To minimise the impact on the affected data subjects and the organisation itself, the PCPD has recommended the following five-step approach for handling a data breach:

• Step 1: Immediate gathering of essential information;
• Step 2: Containing the data breach;
• Step 3: Assessing the risk of harm;
• Step 4: Considering giving data breach notifications; and
• Step 5: Documenting the breach.

Moreover, the organisation should also review its existing policy and strategy of handling personal data to avoid further recurrence of similar breaches. Depending on the cause of the data breach, the review should take into account matters such as the adequacy of IT security measure, the provision of training to employees regarding data privacy or the effectiveness of the detection of and response to data breaches.

Click here for the Guidance issued by the PCPD.

PCPD publishes investigation report on unauthorised access to credit data in the TE Credit Reference System

On 1 June 2023, the Privacy Commissioner for Personal Data (PCPD) published an investigation report on the unauthorised access to credit data in the TE Credit Reference System. The investigation took place after the PCPD received a complaint related to the TE System, which was developed and operated by Softmedia Technology Company Limited. The TE System is a platform on which money lending companies can assess the credit data of borrowers before deciding whether to approve or reject their loan applications. As of December 2022, the System involved credit data of about 180,000 data subjects. The complainant was informed that his credit records had been accessed by several money-lending companies from which he had never applied for any loans. Concerned that his credit data could be accessed without his consent, he lodged a complaint with the PCPD.

After an investigation, the PCPD found that Softmedia:

• Contravened Data Protection Principle 4(1): since a money lending company can gain unlimited access to the credit data of a specific borrower for five days as long as it declares that it has obtained authorisation from the borrower and pays HKD 2, Softmedia failed to ensure that the credit data of the data subjects were protected against unauthorised access, processing or use; and
• Contravened Data Protection Principle 2(2): since the System holds over 50,000 credit records of which at least five years have passed from the date of final settlement of the debt, Softmedia had retained these credit records for a period longer than necessary.

In light of the contravention, the PCPD served an enforcement notice to Softmedia and directed it to take actions to remedy and prevent recurrence of the relevant contraventions. In addition, the PCPD made the following recommendation to Softmedia and other operators of credit reference databases:

1. to implement a “Personal Data Privacy Management Programme” through which personal data privacy protection can be incorporated into their data governance responsibilities;
2. to appoint a data protection officer to be responsible for overseeing compliance with the requirements under the Personal Data (Privacy) Ordinance and implementing the aforementioned “Personal Data Privacy Management Programme”;
3. to engage an independent compliance auditor to conduct regular compliance audits on the mechanism and means of providing credit reference services; and
4. to adopt strict penalties against money lending companies for contravention.

Click here for the investigation report issued by the PCPD.

Licensing regime for virtual asset trading platform operators in effect from 1 June 2023

On 1 June 2023, the regulatory and licensing regime for virtual asset trading platform operators took effect, which require that the Securities and Futures Commission (SFC) license and regulate centralised virtual asset trading platforms (VATP) operating businesses in Hong Kong or actively marketing their services to investors in Hong Kong.

Dual-licensing regime

To carry out the regulated activities, a VATP should be licensed under the Securities and Futures Ordinance (Cap. 571) (SFO) and/or the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (AMLO as amended by the Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Ordinance 2022). A VATP providing trading services in security tokens should apply under the SFO regime for Type 1 (dealing in securities) and 7 (providing automated trading services) licences. A VATP providing trading services in non-security tokens should apply under the AMLO regime for a licence to provide a virtual asset service. Since the terms and features of a virtual asset may evolve over time, the virtual asset’s classification is likely to change from a non-security token to a security token, or vice versa. To avoid contravention of any of the licensing regimes, a VATP may consider applying for licences under both the SFO and AMLO regime, especially when a single consolidated application can be made online for both licences simultaneously.

Transitional arrangements

A VATP operating in Hong Kong before 1 June 2023 and providing trading services in non-security tokens with meaningful and substantial presence (i.e. carrying on a genuine business with genuine presence) may be eligible for transitional arrangements, which enable a VATP to continue to operate from 1 June 2023 to 31 May 2024 without contravening licensing requirements.

A VATP wishing to continue operations after 31 May 2024 should apply for a licence before 29 February 2024. In this case, the VATP will be deemed licensed from 1 June 2024 until the application is approved, withdrawn or refused.

Key licensing requirements 

In addition to the SFO and the AMLO, applicants for a VATP licence should also observe and comply with the Guidelines for Virtual Asset Trading Platform Operators issued by the SFC. In summary, to obtain a VATP licence, a VATP applicant should ensure that the following key requirements can be satisfied:

(i) Fitness and Properness Requirements

In determining whether the applicant is fit and proper to be licensed, the SFC will consider the following matters for both the applicant and any of its officers:

a.       Financial status or solvency;

b.       Educational or other qualifications or experiences;

c.       Ability to carry on the relevant activities competently, honestly and fairly; and

d.       Reputation, character, reliability and financial integrity.

(ii) Competence Requirements

The applicant will also need to demonstrate that they have the ability to carry on the relevant activities competently. There are non-exhaustive matters that the SFC will normally consider, taking into account the applicant’s business model, the complexity of its business lines and the particular circumstances of any officer, among other factors.

Generally, the competence of the applicant will be assessed by elements including, without limitation, corporate governance, internal controls, operational review, risk management, compliance and staff competencies.

(iii) Appointment of Responsible Officers and other Personnels

The applicant must appoint at least two Responsible Officers to supervise the business. Among the Responsible Officers, at least one must ordinarily reside in Hong Kong and be available at all times, and at least one must be an executive director of the applicant.

Additionally, there must be at least one individual appointed as Manager-In-Charge (MIC) for the following eight core functions: (i) Overall Management Oversight; (ii) Key Business Line; (iii) Operational Control and Review; (iv) Risk Management; (v) Finance and Accounting; (vi) Information Technology; (vii) Compliance; and (viii) Anti-Money Laundering and Counter-Terrorist Financing. Each of the MICs should be fit and proper with the relevant professional qualifications, training or experience, and can be responsible for managing more than one function. Furthermore, the MIC for the functions of Overall Management Oversight and Key Business Line should also be the Responsible Officer.

(iv) Financial Resources and Soundness

Upon obtaining a license, a VATP must at all times maintain the following financial requirements:

• Assets which it beneficially owns are sufficiently liquid (not in the form of virtual assets) and equivalent to at least 12 months of its actual operating expenses calculated on a rolling basis;
• Paid-up share capital of not less than HKD 5 million; and
• Liquid capital of not less than HKD 3 million.

In assessing whether the applicant is fit and proper in terms of its financial status, the SFC will consider whether the applicant would be capable of satisfying the aforementioned requirements.

Click here for the Guidelines for Virtual Asset Trading Platform Operators.

Indonesia, Malaysia

Indonesian and Malaysian central banks announce launch of cross-border QR payment linkage

On 8 May 2023, the Bank Indonesia (BI) and the Bank Negara Malaysia (BNM) announced the commercial launch of a cross-border QR code payment linkage between Indonesia and Malaysia. Under this linkage, consumers from participating financial institutions can make retail payments in either country by scanning Quick Response Code Indonesian Standard (QRIS) or DuitNow QR codes at physical stores or online merchants. This linkage comes on the back of other similar payment linkages such as the QR linkage between Singapore and Malaysia and is part of a push by the Association of Southeast Asian Nations (ASEAN) member nations to develop a universal QR code for digital payment services. 

Click here to read the official press release from BI.

Philippines

Philippines privacy regulator seeks public comments on draft guidelines on consent as a basis for processing personal data and the use of ID cards by private organisations

On 9 May 2023, the Philippines National Privacy Commission (NPC) requested public comments on two draft guidelines on Consent as a basis for processing personal data (Consent Guidelines) and ID cards issued by private organisations (ID Card Guidelines).

The Consent Guidelines provide guidance on what constitutes valid consent and how it must be obtained and managed. The Consent Guidelines set out the minimum information that must be provided to a data subject when obtaining consent and requires that personal data processing satisfy requirements for transparency, legitimate purposes, proportionality and fairness. Consent must be freely given, specific, informed and expressly given through a clear assenting action. In addition, the Consent Guidelines also set out guidelines for organisations when carrying out direct marketing, data sharing, research, profiling and automated processing, and obtaining publicly available information.

The ID Card Guidelines require organisations issuing ID cards to ensure that only data that is necessary for the purpose of identifying the data subject is included unless such data is explicitly required by law. The issuing organisation is required to implement reasonable and appropriate safeguards to protect such personal data and must ensure that the inclusion of a particular category of personal data is proportionate to a legitimate purpose.

Click here for a copy of the draft Consent Guidelines and here for a copy of the draft ID Card Guidelines.

Singapore

Online Criminal Harms Bill introduced in parliament

On 8 May 2023, the Online Criminal Harms Bill was introduced for First Reading in the Singapore parliament. If passed, the Bill will give the Singapore government more powers to proactively deal with online criminal activities, scams and malicious cyber activities.

The Bill would empower the Singapore government to issue directions to any individual or entity when there is a reasonable suspicion that online activity is being carried out to commit certain specified criminal offences relating to terrorism and internal security, racial and religious harmony, and sexual offences, among others. Such directions include:

• requiring the recipient to stop communicating specified online content to users in Singapore;
• requiring online service providers to stop an account on their service from communicating or interacting with users in Singapore;
• requiring internet service providers to block access to an online location, such as a web domain, from users in Singapore; or
• requiring app stores to remove an app from their Singapore storefronts.

Government directions can also be issued when it is suspected that any online activity is carried out to commit or prepare for the commission of scams or malicious cyber activities. The lower threshold for taking action would enable the government to disrupt scams and malicious cyber activities before consumers are harmed.

Click here to read the full text of the Online Criminal Harms Bill.

Singapore’s central bank launches public consultation on proposed rules on the conduct of marketing activities by financial institutions

On 25 April 2023, the Monetary Authority of Singapore (MAS) released for public consultation two papers containing proposals to enhance safeguards for the conduct of digital prospecting and marketing activities (DPM Paper) by financial institutions (FIs) and the conduct of physical prospecting and telemarketing activities (Telemarketing Paper) by FIs.

In the DPM Paper, the MAS released proposed guidelines requiring board members and senior management of FIs to be accountable and responsible to ensure that proper controls are in place for their FIs' digital prospecting and marketing activities and that such activities are conducted in a responsible and professional manner.

Additionally, the MAS intends to introduce additional advertisement regulations such as: requiring FI approval for non-product advertisements (e.g. advertisements for financial services), requiring FIs and their representatives to disclose their identities in advertisements, extending clarity and legibility requirements to non-product advertisements, requiring FIs to monitor the activities and conduct of lead generation firms engaged by them to ensure compliance with applicable laws, and requiring FIs to provide specified key information to lead generation firms for disclosure to prospective customers.

The MAS intends to provide a transition period of six to nine months for FIs to comply with the new guidelines and regulations in the DPM Paper.

In the Telemarketing Paper, among other things, the MAS disclosed its intention to publish notices covering telemarketing activities conducted by FIs, which will require clear and upfront disclosure of identity and intentions towards consumers and will require that consent be obtained before commencing telemarketing, prohibiting offers of gifts to entice customers to purchase financial products or make larger purchases, and prohibiting the sale of Medisave-approved policies (i.e. health insurance policies approved by Singapore’s national medical savings scheme) over the phone unless safeguards are implemented.

Click here for a copy of the DPM Paper and here for a copy of the Guidelines.

Click here for a copy of the Telemarketing Paper.

South Korea

South Korean privacy regulator seeks public comments on draft decree under the Personal Information Protection Act

On 18 May 2023, South Korea’s Personal Information Protection Commission (PIPC) released for public consultation a draft decree under the Personal Information Protection Act (PIPA). The key features of the Decree include:

• specifying the conditions under which consent for the processing of personal data may be taken;
• setting out notification requirements when personal data is collected from third parties;
• harmonising data protection standards to both online and offline personal data;
• establishing the criteria for determining the severity of PIPA violation;
• setting out the procedure for data breach notifications to the PIPC;
• giving the PIPC powers to stop or prevent infringing overseas transfers of personal data;
• imposing obligations on public bodies running large-scale public systems to conduct personal data file registrations and personal data impact assessments; and
• integrating regulations for the protection of children’s data.

The Draft Decree is open for public consultation until 28 June 2023.

Click here to read the text of the Draft Decree (Korean only).

Vietnam

Vietnam issues comprehensive decree on personal data protection and separate guidance

On 17 April 2023, the Vietnamese government issued Decree No. 13/2023/ND-CP on Personal Data Protection (PDP Decree), the country’s first comprehensive data protection law. The PDP Decree will take effect from 1 July 2023 and extends to Vietnamese organisations operating in foreign countries as well as foreign organisations that process or participate in the processing of personal data in Vietnam.

The PDP Decree provides for two categories of personal data: “basic personal data” and “sensitive personal data”. Organisations processing “sensitive personal data” will need to comply with more stringent requirements. The PDP Decree sets out data subject rights such as the right to be informed, right to consent, right to access, right to withdraw consent, right of erasure, right to restrict data processing, right to object to processing and the right to complain and claim damages.

Consent from a data subject is only valid if the individual voluntarily consents and is informed of the type of personal data processed, the purposes for processing, the organisation or individual processing the data, and their rights and obligations. A data subject must consent to each purpose for data processing and silence or non-response from the data subject will not be regarded as valid consent.

In addition, the PDP Decree requires organisations to create and submit a data processing impact assessment (DPIA) dossier on their data processing activities to the Department of Cybersecurity and Hi-Tech Crime Prevention under the Ministry of Public Security (MPS) within 60 days from the date of processing. If the organisation transfers the personal data of Vietnamese citizens outside of Vietnam, it must also create and submit a separate transfer impact assessment (TIA) dossier to the MPS within 60 days from the date of transfer.

The PDP Decree also imposes an obligation on organisations to notify the MPS of data breaches within 72 hours of the breach.

Click here to read more about the PDP Decree.

On 7 June 2023, the MPS issued the following guidance for the PDP Decree:

• A national portal for notifications and registrations will be launched before 1 July 2023. The MPS also plans to issue DPIA and TIA templates in the near future.
• Both DPIAs and TIAs must be prepared in the Vietnamese language.
• The sale and purchase of personal data is strictly prohibited unless explicitly permitted by law.  Consent is not a legal basis for the trading of personal data, including sensitive data.
• Any organisation transferring personal data of Vietnamese citizens outside Vietnam must comply with the PDP Decree, regardless of their location.
• Foreign organisations incorporated outside Vietnam and subject to the PDP Decree need not appoint a local representative but may be required to appoint a Data Protection Officer (DPO).