Asia’s Data Privacy Dilemmas 2014–19: National Divergences, Cross-Border Gridlock
(2019) No 4, Revista Uruguaya de Protección de Datos Personales (Revista PDP), August 2019, 49-73
27 Pages Posted: 19 Nov 2019 Last revised: 30 Dec 2019
Date Written: August 30, 2019
In 2014, thirteen of the 28 countries in Asia had enacted data privacy laws. They all implemented the ten minimum (‘1st generation’) principles for a data protection law which had consolidated in the 1980/81 OECD and Council of Europe instruments. They also implemented a little over half of the additional ten ‘2nd generation’ principles which distinguished the 1995 EU data protection Directive. In relation to cross-border transfers, a variety of instruments contended for primacy.
Five years later, much has changed in Asia, although the number of countries with data privacy laws has only risen to 15 (adding China and Bhutan). Amended laws include those in Thailand, the first law with strong GDPR influences, and in Japan and Korea, affected by their bids for EU adequacy. India and Indonesia have Bills with strong GDPR influences, but – like China – also strong commitments to data localization. This article assesses all these national developments in terms of whether new models for Asian data privacy laws are emerging.
The overall result of this half-decade of national developments is that the average of Asian laws has moved from the inclusion of 5/10 ‘2nd generation’ or ‘European’ principles, to 6/10. Furthermore, there are at least 40 instances of ‘3rd generation’ principles typified by the innovations of the EU’s GDPR being adopted in Asian laws, the most popular being data breach notification requirements. Enactment of GDPR-influenced laws in India and Indonesia will strengthen these trends. However, the absence of any significant regional standards in Asia (in comparison with Africa or Latin America) means that the adoption of particular principles is not uniform, and ‘convergence’ is not a very valuable concept in Asia.
Although numerous international instruments and their effects are influential in Asia (the CPTPP free trade agreement, APEC-CBPRs, Convention 108+, and GDPR adequacy), none of these have become dominant, or are likely to. As a result, individual countries will choose to engage with them as suits their national interests and other obligations. The new element of data localization laws is influential in quite a few countries, is disrupting traditional alliances, and is causing new models for data privacy laws to emerge, particularly those including data localization.
Keywords: data protection, privacy, surveillance, Asia, APEC, ASEAN
Suggested Citation: Suggested Citation