Why the EU GDPR Shapes Data Protection Practices in Asia

Since its implementation in 2018, the European Union's General Data Protection Regulation (EU GDPR) is widely seen as the global regulatory standard in the data protection and privacy landscape. In many countries enacting new data protection laws or modernising current data protection laws, such as Hong Kong, Thailand and Indonesia, the GDPR has been viewed as a useful yardstick.

The GDPR was designed to ensure the protection of personal data processed by both public and private organisations within the EU. Privacy is regarded as a human right that is necessary to protect, especially when it comes to business practices and personal data.

A brief background on the GDPR

The European GDPR is a comprehensive data protection law that came into effect on May 25, 2018. It was established to enhance individuals' privacy rights and to create a unified framework for data protection across EU member states.

Origins and Development

The GDPR was born out of a recognition that the digital landscape had evolved significantly since the introduction of the 1995 Directive. The rapid growth of the internet, social media, and big data analytics raised new challenges for personal data privacy. Consequently, the European Commission initiated a reform of the EU's data protection framework to adapt to these changes, culminating in the introduction of the GDPR. The regulation was drafted and negotiated over several years, reflecting the input of various stakeholders, including businesses, privacy advocates, and governmental entities.

Scope and Coverage

The GDPR applies to the processing of personal data, which is defined as any information relating to an identified or identifiable individual (data subject). This includes names, email addresses, identification numbers, location data, and online identifiers. The regulation covers a broad range of privacy standards, including:

1. Collection: Any gathering of personal data, whether online or offline.

2. Storage: Retaining personal data in a database or other systems for any period.

3. Use: Processing personal data for various purposes, such as marketing, profiling, or analysis.

4. Sharing: Distributing personal data with third parties, including service providers and partners.

5. Erasure: The right of individuals to request deletion of their personal data.

Key Provisions of GDPR

The GDPR introduces several key provisions aimed at enhancing data protection, including:

1. Increased Consent Requirements: Organisations must obtain clear and affirmative consent from individuals before processing their personal data.

2. Right to Access: Individuals have the right to access their personal data and obtain information about how it is processed.

3. Right to Rectification: Individuals can request corrections to inaccurate or incomplete data.

4. Right to Erasure ("Right to be Forgotten"): Individuals can request the deletion of their personal data under certain conditions.

5. Data Portability: Individuals can transfer their personal data between service providers.

6. Data Protection by Design and by Default: Organisations are required to implement appropriate technical and organisational measures to ensure data protection is integrated into processing activities.

7. Mandatory Data Protection Impact Assessments (DPIAs): Organisations must assess risks to personal data and take steps to mitigate them, especially for high-risk processing activities.

How the EU GDPR Impacts Data Privacy Regulations Across Asia 

The EU GDPR has had a significant influence on data protection laws and practices globally, including in Asia and more particularly, Singapore. As countries continue to grapple with the implications of rapid technological advancements, particularly with the growth of the Internet of Things (IoT), GDPR serves as a benchmark for establishing robust data privacy frameworks.

Inspiration for Regulatory Frameworks

Singapore is a prime example of how GDPR has inspired local legislation. The Personal Data Protection Act (PDPA), which came into effect in 2014, was already in place before GDPR, but the latter has prompted Singapore to further refine its data protection laws. Because of the GDPR impact on Singapore, the PDPA shares several similarities with GDPR, such as principles of consent, purpose limitation, and the rights of individuals regarding their personal data. The heightened global focus on privacy prompted by GDPR has encouraged Singapore to enhance its regulatory framework to align more closely with international standards, thereby facilitating cross-border data flows.

Encouraging Legislative Updates

The GDPR’s stringent requirements for data protection have led Asian countries to consider legislative updates that bolster individual privacy rights and enhance the accountability of organisations that handle personal data. For instance, recent amendments to Singapore's PDPA have introduced higher penalties for data breaches, mirroring the GDPR’s more severe fines for non-compliance. This evolution reflects a growing recognition in Singapore of the importance of protecting personal data, especially in light of the increasing presence of IoT devices that collect and process vast amounts of sensitive information.

Business Implications

Businesses operating in Singapore, particularly those with international ties, are increasingly mindful of compliance. Due to the GDPR impact on Singapore, many organisations have adopted GDPR-like practices in their business processes to ensure compliance with EU regulations and to meet the expectations of consumers who are becoming more aware of their privacy rights. This shift has resulted in a greater emphasis on transparency, accountability, and data protection by design in business operations.

Cross-Border Data Transfers

The GDPR impact in Singapore has likewise put emphasis on cross-border data transfer regulations, given Singapore's role as a regional data hub. The GDPR requires that personal data transferred outside the EU must be adequately protected, leading Singapore to engage in international dialogues to establish data adequacy decisions and frameworks that facilitate seamless data transfers while ensuring a high standard of data protection. The APEC Cross-Border Privacy Rules (CBPR) system is one such initiative that aims to balance data flow with privacy concerns, drawing inspiration from GDPR principles.

Global Trade and Compliance

The interconnectedness of the global economy means that data protection regulations in one region can impact businesses and individuals in another. As international companies navigate the complexities of data protection compliance, the influence of GDPR in Asia markets has fostered a more unified approach to privacy laws. This is particularly crucial for organisations that operate across multiple jurisdictions, as they must align with varying legal requirements while ensuring the protection of personal data.

How the EU GDPR Affects Business Entities in Asia and Beyond 

The GDPR applies to:

1. EU Organisations: Any organisation based in the EU that processes the personal data of individuals residing in the EU.

2. Non-EU Organisations: Organisations outside the EU that offer goods or services to EU residents or monitor their behaviour within the EU.

This broad applicability means that even companies based outside the EU must comply with GDPR as part of the mandatory requirements if they deal with the personal data of EU citizens. Additionally, organisations are required to appoint a Data Protection Officer (DPO) in certain circumstances, particularly when their core activities involve large-scale processing of sensitive data.

It is not unusual to see multinational companies that are headquartered in the EU choosing to take the GDPR as the default position for data privacy across all of their global operations to ensure consistency among the countries in which they operate. At times, these corporations take that position simply because they think that it is the right thing to do.

On the flip side, the legal requirements of EU GDPR applies to companies in Asia that choose to market their goods or services to individuals located in the EU. For most Asian companies, such compliance is typically a little different from complying with local data protection or data privacy law.

If you are interested in learning more about the GDPR and how it applies to the region of Asia, check out our course here.

ASEAN's Growing Role in Data Privacy 

In 2022, ASEAN data management frameworks and laws are put in place and recent trends indicate that the entire region is pressing the reset button on data privacy, opening up new business opportunities and driving strong demand for data protection talent.

The job market for data protection and privacy professionals is expected to rise, with many looking to pursue professional certifications to be a part of, or to further their careers, in this industry. Find out more about the insights from the Singapore's Data Protection Job Trends research for 2024.

DPEX Network recently held a webinar regarding the enforcement cases in the European Union and Singapore, both of which had data protection laws in force for quite some time. Insights from the research and analysis conducted on the enforcement cases were shared by a distinguished panel of experts from the region.

During the webinar, Dr Prapanpong Khumon, former Advisor to the Secretary-General of the Personal Data Protection Commission in Thailand, noted that data from the analysis is extremely valuable for countries emerging in the data protection landscape. As an example of EU GDPR influence in Asia, he said that the statistics are very good for the Thai data protection circle moving forward and that the Thai law is based heavily on the EU GDPR. The Thai Personal Data Protection Act was fully enforced on 1 June 2022.

Get a brief overview through our webinar summary here.

Biggest Privacy Risks for Users in the New Age of Data and Technology

The extent to which users are tracked across applications and social media, generally for the purpose of serving targeted advertising, is probably considered the biggest privacy risk for users today. It is a subject of considerable regulatory concern in the European Union and change is likely in the next year or two.

Other prominent privacy risks include data mining, identity theft and phishing. Typically, users provide many pieces of personal information when they sign up for social media accounts or memberships. All of this data is gathered and analysed by companies to do better targeting for advertising campaigns, or for the data to be sold.

Identity theft is also a risk since bad actors may use an individual's profile information to impersonate them. With cyber-attacks and phishing on the rise, especially in the time of artificial intelligence, criminals could attempt to “phish” for personal data and they could do so by sending phishing links via messages to an individual's contact list or by gaining control of social media accounts.

To protect their interests, it is important for individuals to know their rights under the PDPA and to ask organisations that collect their personal data why they do so, and how they will use, disclose, and protect that data. Published privacy policies of organisations can provide insight into the purpose behind the collection of data and how the organisations will use, disclose and protect personal data, hence, it is good practice to make it a habit to read the privacy policy before downloading an app, for instance, so that you know what the organisation is doing in relation to personal data.

For organisations, it is critical for the internal data protection management programme (DPMP) to be implemented properly and reviewed regularly to ensure that operational practices are aligned with good data protection culture.

Find out how to develop a robust data protection management programme through our course here.

For more Data Protection resources, visit www.dpexnetwork.org. Sign up for free as a member to have full access to all content. This article was first published on 19 May 2022.