By Dain Oh, The Readable
How long does it take for you to click the “I agree” button when asked to share your personal information while accessing online services? It does not take even a few seconds because we do it almost automatically. Although we have not read the service terms, we often take full responsibility for a potential breach of the data that we provided and face unexpected consequences following the mistreatment of personal data due to the devious agreement.
As an alternative to the consent-based privacy practices which have been proven ineffective for quite a while, a global non-profit organization has called for greater convergence and interoperability, guided by the principle of accountability, in the Asia-Pacific (APAC) data protection landscape. The organization’s months-long research has recently culminated in the publication of a comparative analysis report for the region. The Readable spoke with Josh Lee Kok Thong, Managing Director of the Future of Privacy Forum’s (FPF) APAC office, regarding the new publishment “Balancing Organizational Accountability and Privacy Self-management in Asia-Pacific.” The interview took place over a virtual meeting between Singapore and South Korea on January 19.
◇ Timely research for APAC
The FPF is a non-profit organization focused on fostering principled and pragmatic privacy and data protection approaches in support of emerging technologies. It is supported by diverse groups of sponsors and contributors while making decisions independently. Its APAC office was opened in Singapore in August 2021 with the aim to build a cooperative platform and encourage discussions about data protection policies in the APAC region. A month after the establishment of this office, FPF APAC joined forces with one of Singapore’s legal think tanks, Asian Business Law Institute (ABLI), to help the convergence of privacy regulations and best practices in the region. The latest report was published in partnership with the FPF APAC and the ABLI in November of last year.
“Data protection refers to the protection of individuals’ personal data, while recognising the reasonable and legitimate needs of organisations to collect, use or disclose personal data,” said Josh, responding to a question about how he defines privacy. However, Josh emphasized that the meaning of privacy can differ depending on the context or place. Like any other word, privacy is a word that is “context-sensitive,” asserted Josh. Josh added that personal information can include information that directly identifies an individual, or information that put together with other information may identify an individual. Again, Josh emphasized that this definition could vary depending on which jurisdiction one was in.
The current study is expected to draw keen attention from the stakeholders in data protection. According to Josh, the timing of the report will allow it to contribute to the evolution of personal data regimes in the region and will become a cornerstone in the advancement of collaboration in the APAC region. For the last few years, many APAC jurisdictions have gone through intensive law reform regarding privacy and data protection. China, Thailand, and Indonesia recently constituted data protection laws during this period. Concurrently, jurisdictions like South Korea, Japan, and Singapore also introduced significant amendments to their own privacy laws. This phase of significant change in the region was a key reason why FPF saw it timely to conduct the comparative research at this point.
◇ Benefits of coherence in privacy regulations
The report contains a comparison of the legal bases for processing personal data according to the data protection laws and regulations of 14 jurisdictions, including Australia, China, Hong Kong, India, Indonesia, Japan, Macau, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand, and Vietnam. Josh described the research as a “landscape scan of the region” in personal data protection frameworks. “Balance” and “interoperability” were the two words that he cited frequently throughout the interview, along with the word “pragmatic.” “The aim is not to tell legislators what is right or wrong, but to show them what is important for privacy regulations,” said Josh to The Readable.
“Coherence brings numerous advantages for both business entities and individuals,” said Josh. Coherent regulations reduce confusion for enterprises which utilize data and are obligated to comply with the laws in each country that they operate in. Consequently, it gives benefits to customers of those enterprises by enhancing certainties regarding data protection. If the divergence between regions remains unchanged, which the report called the “lack of interoperability,” organizations that operate in multiple jurisdictions will encounter the increased challenges with compliance, or other legal uncertainties.
“Variations in data protection frameworks across APAC may impede the effective cross-border implementation of individuals’ data protection rights and may also limit capacities for effective regulatory oversight once personal data leaves a given jurisdiction,” the researchers wrote in the report. He further elaborated on the benefits of legal convergence, saying “greater coherence between and harmonization of regional legal frameworks, particularly relating to legal bases for processing personal data, would help to create the necessary common ground for regulatory cooperation and exchange of ideas, facilitating consistent regulatory action.” This means that government agencies also stand to benefit from consistency. Moreover, it opens more opportunities for APAC regulators to adopt global best practices in data protection, including from other regions such as the European Union and the United States.
◇ Accountability: shifting power from processor to individual
The report suggests using an accountability-based approach to advancing data protection laws in the APAC region. It has been brought to light as a result of the limitations that the consent-based approach imposed on privacy. Consent-centric privacy practices burden individuals with obligations to understand what information was provided to data processors. The full understanding of service terms is rarely achieved under these practices. The consent-based approach may appear to enterprises to be simpler from a compliance perspective, but can affect trust between organizations and consumers. Josh called it “a black hole,” meaning that customers may not necessarily appreciate the full implications of providing their consent to organizations.
The accountability-focused approaches shift more of the responsibility to protect personal data onto organizations. In some cases, accountability-focused approaches include the utilization of data protection impact assessments (DPIA) to give organizations greater visibility into how their processing of personal data impacts individuals. According to the EU’s General Data Protection Regulation (GDPR), the DPIA is part of the “protection by design” principle which requires data controllers, prior to the processing of personal information, to carry out an assessment of the impact of the expected processing operations on the protection of personal data. Singapore and China are instances of APAC jurisdictions which mandate the use of DPIAs in certain aspects, such as when using the “legitimate interest” basis for processing data, in their privacy laws.
“By using various alternative legal bases other than consent and with an eye on supporting greater accountability, organizations can balance their interest in using personal data with broader societal concerns, such as developing a vibrant digital economy or preventing the harms of crime and fraud to individuals,” wrote the FPF in a press release that announced the publication of its report.
In his answer to a question about the current challenges of privacy, Josh highlighted the significance of regulators who implement data protection laws. The regulatory agencies should equip themselves with the necessary capabilities and capacity to effectively implement and enforce data protection laws. In addition, providing regulatory clarity and certainty to organizations and individuals is also important. “This will allow organizations to better understand what is expected of them from a compliance perspective, especially when new laws are about to be enacted,” said Josh.
On its website, the FPF asserted that it is possible to build a world where technological innovation and privacy can coexist. Josh added his opinion to this statement. “There should be a balance between data protection and innovation. Policymakers and regulators need to offer pragmatic industry guidance in a timely manner for businesses to refer to.”
The cover image of this article was designed by Areum Hwang.
Dain Oh is an award-winning cybersecurity journalist based in South Korea and the founding editor-in-chief of The Readable by S2W. Before joining S2W, she worked as a reporter for The Electronic Times, the top IT newspaper in Korea, covering the cybersecurity industry on an in-depth level. She reported numerous exclusive stories, and her work related to the National Intelligence Service led to her being honored with the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology in a unanimous decision. She was also the first journalist to report on the hacking of vulnerable wallpads in South Korean apartments, which later became a nation-wide issue.
