The information contained in these articles (“the Content”) is for general information only and is not meant to be construed as legal advice. The Content is updated as at the end of 2022. All Content provided is taken from public sources, and we make no representation as to the accuracy or reliability of the Content.
It was another busy and hectic year for legislative developments in Data Protection in Asia. It was heartening to see so many countries in Asia, from Indonesia to China and Japan, step up their legislative efforts to enhance and improve their data protection standards.
Pertinently and unsurprisingly, cross-border data flows and data breach response took centre stage in most of the new developments in Asia. Some countries, like Singapore and Hong Kong, implemented measures to address more specific concerns, reflecting how sophisticated and mature their laws have since evolved.
In this year-end roundup, I will provide a snapshot in two parts. The first part will cover the significant developments in Singapore, and in the second part, we will look at how some of the major Asian countries are enhancing their data protection standards to address the growing threats in the region.
Ever since 2013, when omnibus legislation on data protection was first introduced, Singapore has continuously enhanced and refined its provisions to cater to the ever-changing landscape threatening the protection and security of personal data. Amongst other things, –
In 2022, the PDPC set out a plethora of guidelines, most of which were catered towards very specific situations. In 2022, the PDPC published or released the following: –
2022 was another busy year for the CSA, counting building up regional co-operation and strengthening capabilities amongst its achievements.
The CSA, in partnership with the Global Forum on Cyber Expertise (GFCE), officially announced the creation of a GFCE Southeast Asia Liaison position in October 2022 at the Singapore International Cyber Week 2022.
This Liaison will connect the region and the existing efforts of the ASEAN-Singapore Cybersecurity Centre for Excellence (“ASCCE”) more closely with other GFCE member nations and organisations, including GFCE Liaisons and Hubs from other regions. This closer integration of the region and the GFCE through the Liaison is expected to facilitate exchange of best practices and foster a deeper understanding of the region’s cyber capability gaps, as well as ensure better coordination of cyber capacity building efforts amongst the region’s stakeholders and more efficient use of resources to close these gaps.
The CSA also upgraded the Cybersecurity Code of Practice (“The 2022 Code”) for Critical Information Infrastructure (“CII”), effective from 4 July 2022, superseding previous versions of the Code.
This Code is intended to specify the minimum requirements that the Critical Information Instructure Owner (“CII Owner”) shall implement to ensure the cybersecurity of its CII.
The CII Owner is expected to implement measures beyond those stipulated in this Code to further strengthen the cybersecurity of the CII based on the cybersecurity risk profile of the CII.
Of particular significance within this 2022 Code: –
Any onerous burden that is imposed onto owners of CII is essential and must be balanced against the fact that the cybersecurity has become one of the crucial pillars of the safe operation of CII.
Finally, in a landmark decision, the Singapore Court of Appeal (“CA”) provided some valued insight as to its approach on the interpretation of the provisions of the PDPA.
In the case of Michael Reed v Alex Bellingham (Attorney-General, Intervener) [2022] SGCA 60, they adopted a purposive approach to the construction of the term “loss or damage” under s 32(1) of the PDPA. Section 32(1) confers a right of private action on any person who suffers loss or damage directly because of the contravention of any provision in Part IV/V/VI of the PDPA.
In essence, the CA held that “loss or damage” under s 32(1) of the PDPA includes emotional distress but excludes loss of control of personal data. Some of the CA’s key findings are summarized below:
Despite all the efforts to level up standards, to address data security concerns on new and specific issues like A.I. and blockchain, and even improving standards for the protection of CII, more still needs to be done to fight against all threats to data security.
The continued reports of data breaches are a testimony that the fight to protect data remains a constant need.
It is nonetheless reassuring to see that efforts in Singapore are being made to “level up” standards. Whether to provide guidance to manage personal data in this era of new technologies and innovation, or to guard against specific and new types of threats.
As will also be seen by developments in major Asian countries, the improvements and enhancements can only make it easier for other countries to co-operate on joint enforcement efforts with Singapore for their data protection regimes.
Wun Rizwi
Partner
RHTLaw Asia
rizwi.wun@rhtlawasia.com
+65 6381 6818
Rizwi is a founding member of RHTLaw Asia, and is the Acting Head of the firm’s Intellectual Property and Technology Practice. He also heads the Firm’s Consumer Brands Industry Group, with specific focus on Food & Beverage, Fashion & Luxury, and the Video and Computer Games industries.
RHTLaw Asia is a member of ONERHT, an integrated network of multidisciplinary professional and specialist services which empowers stakeholders to achieve purposeful growth.
© 2023 RHTLaw Asia LLP. All Rights Reserved.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |