As data protection legislation is becoming more established around the world, with influential laws such as the European Union’s General Data Protection Regulation (EU GDPR) and China’s Personal Information Protection Law (PIPL) leading the way, data protection professionals need to take a broader view.
This is the opinion of Sarah Wang Han, Head of Research at Straits Interactive, and a data privacy consultant who has studied Chinese data protection legislation.
“Organisations need to know that for certain regions, for certain countries, there are different data privacy requirements. These are countries that may require data localisation, or classified data, and if you are doing business or dealing with personal data there, you need to be very clear about what is required,” she said.
“Can you transfer the personal data [from one country to another]? Can you get the personal data from a country? These are questions you need to know the answer to, as this will affect your business. So of course you need to know the differences in data protection for those jurisdictions,” said Han, who has a Master of Laws from Hunan University.
To learn more about regional data protection laws, including those of Indonesia, Thailand, Singapore, Philippines, Malaysia and China, consider taking the modules of our Advanced Certificate in Data Protection Principles.
The PIPL, which was passed on 1 November 2021, is the first dedicated data protection law in China. Together with the Cybersecurity Law (CSL) and the Data Security Law (DSL), these three laws are known as the “Three Pillars” of data protection and information security in China.
“In China, when you're doing business [there or with the data of Chinese citizens], be very clear about the laws and regulations. Keep abreast with legal developments, not just the national laws, but also look at sector regulations.”
Han noted some major enforcement cases in China since these three laws came into force between 2017 and 2021. These included DiDi, a ride-hailing service that was given a staggering fine of more than 8 billion yuan (USD 1.2 billion) in July 2022, and a number of banks that incurred fines of more than 10 million yuan (USD 1.38 million).
“I have to say that because the PIPL is very strict and it has very hefty fines, organisations have felt threatened by these fines and fear the suspension of their business licences. So they’ve come to the realisation that data protection is a must, they cannot ignore it,” she said.
The Chinese PIPL, like the EU GDPR and the newly passed Indonesian personal data protection law, also has extraterritorial applicability; this means that its provisions and enforcements are only applicable to local firms, but also those based outside of China.
By taking the Advanced Certificate in Data Protection Principles, you can also learn about the GDPR and its application in Asia.
Data protection professionals, such as data protection officer (DPO) roles that are mandatory in many jurisdictions, have some common concerns, according to Han, who is a trainer for the Advanced Certificate in Data Protection Principles issued by Singapore Management University.
“As a trainer, I see these professionals often and their common concern is, ‘How do we get started with data protection?’” she said. “They need a very systematic way to do things because they feel kind of lost when they look at legal requirements.”
“While they may have some idea of what to do, and they are clear about the requirements of the law, they struggle with how to comply with the laws and how to operationalise data protection principles alongside data processing.”
One consistent feedback Han and her fellow trainers get is that course participants like how the courses have been designed.
“This is because we usually start from the cultural perspective, the local background, to give participants an introduction [to the landscape]. For data protection, there are many commonalities around the world, such as the basic principles, the rights of individuals, the obligations of the data controller and data processor.”
“But [across jurisdictions] there are nuances as well. To understand the local data protection law of each territory, you need to respect the local culture and respect the local legal system,” added Han.
“For a DPO here, it’s not just about knowing what is happening in Singapore. You also need to know what is going on in the region, say for ASEAN countries, so that you can comply with these regulations.”
Liked this story? Sign up for a FREE membership at the Data Protection Excellence (DPEX) Network and get regular data protection and data governance news, industry updates, and resources.
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.