Mastercard: Dealing with the complexity of data protection
In an increasingly digital and joined up Asia, there are several steps that lawmakers and organisations should take to strike the right data privacy balance. Mastercard’s Derek Ho explains
Data protection regulations are not new in Asia. It has been over three decades since Australia introduced its Privacy Act in 1988, and more than two since New Zealand and Hong Kong SAR brought in their data protection legislation. Since then, numerous countries in Asia such as the Philippines, Malaysia and Singapore have implemented such laws, while others including China, India and Indonesia are working on new legislation, or re-evaluating their existing frameworks.
While the principles that underpin such data protection laws are typically consistent with each other, the breadth and depth of such legislation varies across the region. These differences can range from basic fundamental concepts – like the scope of personal data or even the existence of a separate category of sensitive personal data – to the list of situations (or legal basis) in which you can legally use personal data. Standards relating to consent also differ from country to country, with South Korea imposing requirements that are arguably stricter than those under the European General Data Protection Regulation.
As a result, companies operating in the region have to navigate a complex and ever-changing array of data protection regulations and standards, which poses operational and technology challenges for organisations trying to implement policies and processes across multiple countries.
One reason for all of this complexity is the speed at which the world is going digital. As organisations compete to obtain more data about their customers, concerns around the unauthorised use of or access to data have also grown.
However, the protection of data and individuals’ privacy may not be the sole motivation. In some instances, there can also exist a parallel objective to establish a safe and trusted environment for companies to create high value data processing or analytics functions, or to enable the innovative use of data by local industry to benefit national economies and their citizens. Further within Asia, the various cultures, histories, governments and levels of economic development influence the evolution of privacy norms and the degree to which there are differences across the region.
While the arising complexity is little surprise then, dealing with this growing array of regulations is not easy, particularly for micro, small and medium sized enterprises (MSMEs) that operate in the digital space and wish to expand the delivery of their digital goods and services to consumers across multiple countries.
More consistency is needed
Convergence of data protection laws in Asia is perhaps a bridge too far. That said, I believe that there is a foundation upon which more consistency in data protection laws can be built to facilitate the ease of cross-border commerce.
For example, at the level of general principles, there is already some overlap in data protection laws in the region. A number of countries have adapted principles that originated in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. So, there already exists a common vernacular at the level of general principles such as transparency and openness, collection limitation and accountability.
Additionally, some regions are coming together to discuss and identify common approaches to data protection. ASEAN is a good example of this with its Framework on Personal Data Protection and its more recent Framework on Digital Data Governance. On a wider scale there is the APEC Privacy Framework and the APEC Cross-Border Privacy Rules (CBPR) System and Privacy Recognition for Processors (PRP) System. While promising, ensuring consistency between such regional and sub-regional frameworks will be necessary to avoid adding more layers of complexity.
Finally, efforts – like the Data Privacy Project undertaken by the Asian Business Law Institute – in identifying areas of difference and commonality and potential paths to bring about more consistency around cross-border data transfers should be encouraged as they introduce an additional analytical layer to the conversation.
Importantly, these efforts do not deny the reality that differences will always exist between countries’ legal instruments (as in any other field of law). Instead, the important theme here is the need to establish more shared perspectives with a view towards protecting data and individuals’ privacy, as well as supporting trusted transborder flows of people, goods and services (and the underlying data) between countries.
Accountability as an organisational response
While organisations wait for the above-mentioned efforts to bear fruit, the key question facing them is this: What can they do now to both comply with a diverse set of laws while still enabling innovation?
One practical solution is to institute an accountability-based approach to privacy and data protection. At its core, accountability means being responsible for implementing data protection requirements and being able to demonstrate that implementation. This is typically done through the adoption of a comprehensive privacy programme that includes a number of elements such as governance structures and oversight, risk assessments, policies and procedures, transparency, training and monitoring and audits.
Through this framework and these tools, an organisation can assess the benefits and risks of a particular use of data, and take the necessary steps to address concerns and mitigate risks by implementing controls or measures (e.g. de-identification or tokenisation). This is a deliberate and thoughtful approach that seeks to ensure compliance with legal requirements and protection for individuals’ privacy and data, while still enabling beneficial uses of data.
Adopting accountability also aligns with more recently developed regulatory frameworks. For example, the draft India data protection bill explicitly mentions accountability as a data protection obligation. The privacy regulators in Singapore, Hong Kong SAR and Australia have also introduced regulatory guidance for privacy management programmes which incorporate the various elements of accountability.
Once an organisation puts these accountability practices in place, they can consider the additional step of voluntarily certifying compliance with a set of accountability-based standards. This could take the shape of trustmarks or certifications like the Singapore Data Protection Trustmark, or the APEC CBPR and PRP certifications.
Ultimately, achieving a measure of success in bringing about more consistency between the various laws in Asia will demand a collective effort. It will require a willingness to engage in dialogue and openness to establishing areas of mutual benefit and interest, instead of focusing on differences. And for organisations, it will require building hard-earned trust through demonstrated accountability. None of this will be simple; but in the words of Theodore Roosevelt, nothing worth having comes easy.
About the author
Derek Ho is a Singapore qualified lawyer and specialises in privacy and data protection, technology and telecommunications law. Prior to Mastercard, he held senior legal positions in multinational companies in the Asia Pacific region, and was part of Drew & Napier LLC’s telecommunications, media and technology practice in Singapore. He is also a Vice-President of AsiaDPO which is a registered society of data protection officers focused on developing and advancing practices in data protection and serving as a trusted resource of industry expertise.