RC: Could you provide a brief overview of current data privacy challenges across the Asia-Pacific region? How would you characterise the quality of the physical and virtual architecture security typically installed by companies operating in the region?

Ho: More countries in the Asia-Pacific region will be introducing omnibus privacy and other data related legislation. While these laws usually contain a set of data privacy principles which are largely consistent with one another, the detailed implementation of those principles in national legislation sometimes results in differences. For example, each country in the Asia-Pacific region has varying legal bases for the processing of personal data. All countries in the region provide for consent as a basis for processing but most do not contemplate processing on the basis of the legitimate interest of the organisation. Some countries recognise the data controller vs. data processor distinction, while others don’t. It is a challenge for organisations of all sizes to keep up with the changes, and manage the differences, especially for businesses which operate in multiple markets. That said, eventually this issue may become less of a challenge as countries, in drafting their own privacy laws, acknowledge and refer to other countries’ implementation of data privacy laws, resulting in the adaptation and cross-pollination of legal concepts between countries.

Shepherd: Currently, there is limited harmonisation and commonality between the various jurisdictions in Asia and therefore regional compliance can be time-consuming and resource intensive. In addition, moves to harmonise and enhance data protection laws across the region have been hampered by international developments such as the Max Schrems case, the new EU Data Privacy Regulation, issues surrounding Safe Harbour and the subsequent new ‘Privacy Shield’. Accordingly, as an example, moves by the Hong Kong government to implement restrictions on cross-border data transfers are now apparently being delayed while it waits to see what happens in Europe. Further, there has generally been a lack of significant regulatory enforcement action in both established jurisdictions and those which have recently implemented legislation; this means that the legislation may not be as effective deterrent as it could be, and also that there is some uncertainty as to how legislation will be applied.

Apr-Jun 2016 Issue

Akin Gump Strauss Hauer & Feld LLP


Microsoft Asia

Simmons & Simmons