Staying on top of data privacy

In this edited extract from a roundtable hosted by India Business Law Journal and Ikigai Law, moderator Sreenidhi Srinivasan and a distinguished panel of global data privacy experts discuss how companies can create globally compliant data privacy policies.

Many countries in the Asia-Pacific region have introduced or are on the verge of introducing data protection laws. For companies doing business outside their borders, a key challenge is knowing how to be compliant with global privacy laws.

The discussion examines various themes around data compliance such as setting a common minimum baseline for global compliance, strategic approaches to different privacy laws, the role played by the EU’s General Data Protection Regulation (GDPR), the importance of data subject rights, and navigating cross-border data transfers.

Accompanying moderator Sreenidhi Srinivasan, partner and lead lawyer on data at Ikigai Law, are Scott Warren, a partner at Squire Patton Boggs in Tokyo specialising in data privacy; Michelle Chan, a TMT of counsel based in Bird & Bird’s London office; and Kritiyanee Buranatrevedhya, an IP and tech partner at Baker McKenzie’s Bangkok office who focuses on data privacy and protection.

Sreenidhi Srinivasan: There are more than 150 data privacy protection laws across the world. For tech businesses that want to go global, how should they think about privacy compliance? What should they start with? Is there a strategic way of thinking about data governance within an organisation?

Scott Warren: In some ways I really feel sad for the in-house counsel of today, because before we just used to be worried about GDPR in Europe, and then we’d worry about the US because of the high penalties. But in the past 10 years or so there’s been an explosion, and within probably the past 20 years, there’s a number of other APAC countries that have their own data privacy laws, which are quite challenging to follow.

So over time, it’s come to me that there’s a concept I’ve called the data privacy continuum. I used to think of it before as you know, digital, a one or a zero, right? It was either Europe or American or something like that. But now I see it as a continuum.

You’ve got Europe that sees data privacy as a fundamental human right. And I actually think the US uses it as a fundamental corporate right. But God forbid you collect it improperly, you lie when you collect it, you abuse it, or lose it, then you’re going to be sued with class action lawsuits, with shareholder derivative lawsuits, and penalised by government regulatory authorities. Facebook, I think, paid USD5 billion not too long ago to resolve a US privacy issue.

But then we have these jurisdictions such as China, the new law, as well as Russia, the old law, that are looking at data privacy much more as a fundamental state right. But at any rate, Europe certainly has a focus on protecting the state secrets, or the state side of that coin. The US is complaining about Huawei, and all the things that might happen with routers that could be used to take data. Frankly, Cisco could do the same thing if they wanted to.

So, this all becomes a matter of who you trust. But the US certainly has a state-located interest. So the thing that’s helpful for me about this continuum is if you look at it, you can see kind of where each country’s laws … fall within it.

And for a lot of APAC countries – Japan, for example, and a lot of other places – I see them trying to straddle the US and Europe side of it. They want to follow Europe so that they can perhaps get an adequacy finding. But they also want to have free transfer of data to trusted sources in the US style.

And then we see some places that we wonder where they fall. Certainly Vietnam is much closer to the China state protection side. And there was some concern with the earlier draft for India, that it was somewhat of a localisation rule. That seems to be relaxed somewhat, but we’re still waiting to see how that actually passes.

But if you can think of it within that continuum, it really helps you figure out – okay, these are the fundamental hot button issues with this country. By reading the law, I know where their focus is, and then it can help you kind of design some common themes through that.

Srinivasan: Michelle, I’ll come to you with sort of a variation of this question. Scott spoke about this continuum – the different triggers or different objectives that different regions might have. How would one be able to glean a common minimum baseline? And are there any differences or similarities that have really stood out to you in the privacy laws of any particular country in South Asia, or the world? Also, how do you then account for those outliers and differences?

Michelle Chan: If you look at the overarching data protection laws in some of the major jurisdictions – the EU, the US, Japan, South Korea and now China – what you see is actually that there will always be some common parts to the data protection law.

So, most of them will define what personal data or personal information is. Most of them will try to distinguish between data controller and data processor. But of course, there are also jurisdictions that don’t draw that sort of distinction. And then you have some data protection principles. Some countries have 10 of them, some only have six. Some don’t call them data protection principles. They’re just embedded somewhere in the law.