TOP Beraten thanks EUROCHAM and ACASIA for their very informative webinar about data sovereignty and data protection in the EU and ASEAN countries. It was my pleasure to follow the presentations of the experts Mr. Teoh Aik Hong (Senior Director, Business IT at DHL Express Malaysia and Brunei), Mr. Ts. Syahrir Nizam Jalis (CEO at ACASIA Communications Sdn Bhd), and Ms. Liew Shi Ying (Partner at Azrul, Liew & Co).
The first two speakers gave an overview and Ms. Liew Shi Ying’s presentation went deeper into the matter of the EU’s General Data Protection Regulation (GDPR) and the different concepts of personal data and data protection in ASEAN countries.
It became clear that the topic of personal data protection through government regulations is increasing in relevancy as countries see the necessity to protect the personal data of their citizens. data sovereignty comes into the picture when the regulations aim to especially protect personal data from threats from outside the country.
Data sovereignty means that a country or region defines by law how the personal data of the citizens of this region is to be collected, stored, and processed. This is important, to prevent their citizen’s data from being misused by other countries or foreign organizations.
As a part of data protection, also data sovereignty will gain importance in the future. Though at this point the majority of countries have yet to establish regulations covering this matter.
Data Sovereignty and Data Protection in the EU
The European Union is, one of the pioneers when it comes to data sovereignty. The General Data Protection Regulation (GDPR) came into force in 2018. The purpose of the regulation is stated as follows: protection of individuals with regard to the processing of personal data and the free movement of such data.
All organizations that collect, store, or process the personal data of EU citizens have to comply with this regulation. For non-compliance are fines possible which reach up to 20 Mio. Euro or 4% of the global turnover.
The collected data must be stored within the EU or in a territory with a similar level of data protection. This includes only the countries: Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, the United Kingdom, and South Korea. A data transfer to these countries is permitted.
How is personal data defined in the GDPR? It is any information related to an identified or identifiable natural person. Information about the deceased, properly anonymized data, and information about public authorities and companies are not included.
The 7 principles of the GDPR are:
- Lawfulness, fairness, and transparency
Any organization requires a valid reason for processing personal data. For example, a legal obligation. Further, they must not mishandle or misuse the data they collect and it has to be transparent how the personal data is processed and used.
- Purpose limitation
The data may only be collected for specified, explicit, and legitimate purposes. It has to be clearly communicated what the purpose is and then the company collecting the data has to follow the stated purpose closely.
- Data minimization
This means that organizations are only allowed to collect the smallest amount of data that they would need to fulfill the purpose.
The collected and stored data have to be accurate and measures have to be in place to ensure continuing accuracy.
- Storage Limitation
The length of time the data is stored has to be justified. Data has to be deleted or anonymized after it is not needed anymore.
- Integrity and Confidentiality
The data has to be stored safely from internal and external threats.
An organization has to be able to show appropriate measures, records, or documentation to prove its compliance.
Data Sovereignty and Data Protection in the ASEAN countries
Countries in the ASEAN region with comprehensive personal data protection laws are Malaysia, Singapore, the Philippines, and Thailand.
Indonesia, Laos, Vietnam, Cambodia, Myanmar, and Brunei have no or just limited personal data protection laws which only apply to certain sectors or mediums.
PDPA in Malaysia:
The Personal Data Protection Act came into effect in 2013. Personal data is defined as any information/data or a chain of information that allows a living individual to be identified. The act requires obtaining end-user consent prior to the processing of any personal data and to inform Malaysian users about the details of the website’s data processing. It applies to any website, company, or organization located in Malaysia. So, organizations outside are not bound to these rules when they process the personal data of Malaysians. This is one of the main differences in comparison to the GDPR.
The Act also does not apply to federal or state governments nor to non-commercial transactions. Expert Mr. Teoh Aik Hong mentioned that regulations or legal guidance on Data Sovereignty are not yet in place in Malaysia.
PDPA in Singapore:
Singapore’s Personal Data Protection Act came into force in 2014 and was recently amended in 2020. It regulates the collection, use, and disclosure of personal data in Singapore as well as the transfer of personal data outside of Singapore. The Act applies to companies, organizations, or websites from anywhere in the world if they process personal data from inside of Singapore.
DPA in the Philippines:
The Data Protection Act came into force in 2016. Personal information refers to any information from which the identity of an individual is ascertained or can be reasonably and directly ascertained or when put together with other information would directly and certainly identify an individual. It has also extraterritorial applications for Philippine citizens but it does not apply to the processing of personal data in the Philippines that was rightfully collected from residents of a foreign jurisdiction.
PDPA in Thailand:
The act came into force on the 1st of June 2022. Personal data is defined as information relating to a person which enables the identification of an individual. It applies to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents.
So, for a company, it is crucial to know where your customers reside, where the data resides that you collect, and of course what data your business collects. Then you can set up a data protection policy and put checks and measures in place to comply with the data regulations which apply, considering the above.