More than half the countries in the Asia-Pacific region have some form of data protection and privacy legislation
By Rina Chandran
BANGKOK, Nov 1 (Thomson Reuters Foundation) - China's new law aimed at protecting the data privacy of online users takes effect on Monday, as growing complaints about online fraud and abuse of personal information increase pressure on authorities to improve safeguards.
The Personal Information Protection Law (PIPL) introduces perhaps the most stringent requirements and protections in the world, experts say, and could prompt other Asian nations to adopt similar regulations.
More than half the countries in the Asia-Pacific region have some form of legislation related to data protection and privacy, but more than one in four lack any regulation, according to the United Nations' trade agency (UNCTAD).
Concerns around data privacy increased during the coronavirus pandemic as authorities introduced surveillance technologies they said were needed to track and trace infection, but which were criticised for being invasive.
Here is a look at the new China law and a roundup of planned data privacy regulations in the region:
The PIPL is seen as China's latest attempt to regulate cyberspace and follows measures to rein in its tech giants that range from limiting the amount of time spent on online games to ordering food delivery companies to better protect workers.
The PIPL is as much about protecting the privacy of China's nearly 1 billion internet users as it is about prioritising national security through cross-border data flow restrictions and continued surveillance, said Alexa Lee, a senior manager at the Information Technology Industry Council in Washington, DC.
The PIPL "will indeed influence data privacy laws in the region. Specifically, its data localisation measures could reduce interoperability of privacy legislation with the world," she told the Thomson Reuters Foundation.
"Not only would the law reshape the privacy regime in China, but it would also be a major force in the global privacy landscape and a highly consequential regulatory framework for international business to navigate," she added.
A Personal Data Protection Bill introduced in 2019 is scheduled to be debated in the upcoming winter session of parliament amid growing use of biometrics and facial recognition technology across the country.
A new law was urgently needed "since from corporations to the government, every entity wants to collect and use data for their own motives," said Anushka Jain, an associate counsel at the Internet Freedom Foundation digital rights non-profit.
But she said the bill "fails to respond to the growing threat of mass surveillance since not only does it not contain any specific provisions related to surveillance, but it also gives wide exemptions to the government".
Among the criticisms of the bill are that it excludes anonymised data, allows the government and other entities to collect data without consent, and includes conditions that undermine the privacy of individuals.
Data privacy experts have also criticised the lack of independence of the proposed Data Protection Authority.
The Personal Data Protection Act, passed in 2019, was meant to become law in 2020, but has been delayed twice because of the coronavirus, and will now become effective in June 2022. A Personal Data Protection Committee is also meant to be set up.
The PDPA is largely modelled on the European Union's General Data Protection Regulation (GDPR) - which is regarded as the global benchmark - and applies to all organisations that collect, use or disclose personal data in Thailand or of Thai residents.
But it exempts several industries and government agencies from certain conditions, raising concerns about its efficacy.
"The delay in implementation says that the government is not serious enough. We haven't seen any preparation for the law to take effect - including setting up the Personal Data Protection Committee," said Sutawan Chanprasert, founder of DigitalReach, a Southeast Asia digital rights group.
"Also, government agencies are exempted. So state surveillance will still continue."
Indonesia has about 30 regulations that cover data privacy, but most deal with specific sectors such as healthcare or banking, with varying standards and degrees of implementation.
A long-delayed Personal Data Protection Law - which also mandates supervision by an independent data authority - is due to be discussed in parliament this month.
But privacy experts fear that the law will exempt surveillance of citizens by government agencies.
"Indonesia needs a comprehensive data protection law in accordance to relevant international standards, and clear methods to enforce those principles," said Damar Juniarto, executive director of SAFEnet, a digital rights group.
"Only then can the data protection law protect citizens against surveillance - including state surveillance that is eroding the freedom of expression of Indonesian citizens."
The draft Personal Data Protection Bill 2021 that was published in August largely adapts the GDPR, with some changes.
Civil rights groups have said the bill gives "broad powers" of exemption to the government, and have questioned the independence of the proposed data protection authority, as well as the requirement to process "critical personal data" on Pakistani servers.
"Additionally, the new draft introduces terms such as 'national interest' and 'national security' without defining them. Use of such broad language gives the government a wide berth to implement the law as it deems fit," said the non-profit Digital Rights Foundation in a statement.
(Reporting by Rina Chandran @rinachandran; Editing by Claire Cozens. Please credit the Thomson Reuters Foundation, the charitable arm of Thomson Reuters, that covers the lives of people around the world who struggle to live freely or fairly. Visit http://news.trust.org)
Our Standards: The Thomson Reuters Trust Principles.