Dealing with the complexity of data protection
In an increasingly digital and joined up Asia, there are several steps that lawmakers and organisations should take to strike the right data privacy balance. Mastercard’s Derek Ho explains
Data protection regulations are not new in Asia. It has been over three decades since Australia introduced its Privacy Act in 1988, and more than two since New Zealand and Hong Kong SAR brought in their data protection legislation. Since then, numerous countries in Asia such as the Philippines, Malaysia and Singapore have implemented such laws, while others including China, India and Indonesia are working on new legislation, or re-evaluating their existing frameworks.
While the principles that underpin such data protection laws are typically consistent with each other, the breadth and depth of such legislation varies across the region. These differences can range from basic fundamental concepts – like the scope of personal data or even the existence of a separate category of sensitive personal data – to the list of situations (or legal basis) in which you can legally use personal data. Standards relating to consent also differ from country to country, with South Korea imposing requirements that are arguably stricter than those under the European General Data Protection Regulation.
As a result, companies operating in the region have to navigate a complex and ever-changing array of data protection regulations and standards,
which poses operational and tech
nology challenges for organisations trying to implement policies and processes across multiple countries.
One reason for all of this complexity is the speed at which the world is going digital. As organisations compete to obtain more data about their customers, concerns around the unauthorised use of or access to data have also grown.
However, the protection of data and individuals' privacy may not be the sole motivation. In some instances, there can also exist a parallel objective to establish a safe and trusted environment for companies to create high value data processing or analytics functions, or to enable the innovative use of data by local industry to benefit national economies and their citizens. Further within Asia, the various cultures, histories, governments and levels of economic development influence the evolution of privacy norms and the degree to which there are differences across the region.
While the arising complexity is little surprise then, dealing with this growing array of regulations is not easy, particularly for micro, small and medium sized enterprises (MSMEs) that operate in the digital space and wish to expand the delivery of their digital goods and services to consumers across multiple countries.
More consistency is needed
Convergence of data protection laws in Asia is perhaps a bridge too far. That said, I believe that there is a founda
tion upon which more consistency in data protection laws can be built to facilitate the ease of cross- border commerce.
For example, at the level of general principles, there is already some overlap in data protection laws in the region. A number of countries have adapted principles that originated in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. So, there already exists a common vernacular at the level of general principles such as