Asia's Data Transfer Landscape?as Diverse as Its Culture
| Author | Vasu B. Muthyala and Jason J. Kang |
| Position | The authors are with Kobre & Kim, Hong Kong. |
| Pages | 16-17 |
Published in Litigation, Volume 44, Number 1, Fall 2017. © 2017 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be
copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. 16
VASU B. MUTHYAL A AND JASON J. K ANG
The authors are with Kobre & Kim, Hong Kong.
ASIA’S DATA TRANSFER
LANDSCA PE—AS
DIVERSE AS ITS
CULTURES
In recent year s, multinational corp ora-
tions (MNCs) have increasingly faced gov-
ernment investig ations stemming from
their Asian operations , including inves-
tigations r elating to corruption, mone y
laundering, and sanct ions. In 2016, the
Asia-Pacific region accounted for al most
one-third of the total f ines and penal-
ties the U.S. Depart ment of Justice as-
sessed in Foreign Corrupt Pract ices Act
enforcement actions. At the same t ime,
many Asian jur isdictions have established
and are enforcing data protec tion regimes
governing the tra nsfer of data outside
their jurisdict ion. Running afoul of these
rules can have serious cons equences. As
a result, MNCs routinely must navig ate
local data protection laws in at tempts
to comply with U.S. requests for infor-
mation. Similar to t he cultural, lingui s-
tic, and historica l differences between
Asian countries a re their approaches
to data protection. Here we provide an
overview of the data protect ion regimes
in four busy jurisdict ions in Asia: China,
South Korea, Hong Kong, and India.
People’s Republic of China
Taking data out of China is pa rticu-
larly complicated by the Law of the
People’s Republic of China on Guarding
State Secrets, the cur rent Guidelines
for Personal In formation Prot ection
within Public a nd Commercial Services
Information , and the recently published
draft r egulation Secur ity Evaluation of
Transfer ring Personal Inform ation and
Important Data Overs eas.
Transferri ng “state secrets” out of
China is prohibited. But what constit utes
a state secret is extremely wide-rang ing,
from activities of t he armed forces to
data relating to the nationa l economy, so-
cial development, and science and tech-
nology. This broad def inition, coupled
with MNCs’ par tnership with Chinese
state-owned enterprises, increases the
risks that infor mation may be deemed a
state secret. The consequences of violat-
ing state secret laws can b e severe, in-
cluding—in certa in circumstances—t he
death pena lty.
China is also st rengthening its protec-
tion of personal data. In 2014, a Chinese
court convic ted two British citi zens for
illegal collection of private dat a in con
-
nection wit h a multinat ional phar ma-
ceutical company. A recent draft reg ula-
tion, Secu rity Evaluat ion of Transfer ring
Personal Inf ormation and Impor tant Data
Overseas, published in April of t his year,
contemplates consent f rom the data sub-
ject and, in some cases , approval from the
regulator for any tr ansfer of personal data
out of China. This is not much change f rom
the 2013 enacted Guidelines for Personal
Information Protect ion within Public and
Commercial Serv ices Information, which
define the scope of personal in formation
and set out data-processing principles, in-
cluding recommending that per sonal data
not be transferred out of the jur isdiction
without the consent of the data subject .
But the draft reg ulation intends to make
this guideline binding.
To navigate this issue, M NCs should
consult Chinese law expert s familiar with
the state secrets reg ime to review and seg-
regate information th at may be classified.
South Korea
Unlike China, South Korea , a democracy,
does not have a state secrecy regi me. But
its Personal Informat ion Prote ction Act
(PI PA) enacted in 2011 is often descr ibed
as the strictes t data protection law in the
world. Under PIPA , “personal data” has
an extremely wide defi nition, covering
not only the information t hat can be used
to identify a person—including na me, ID
number, or photo—but als o information
that enables the recipient to easily identi-
fy a person if combined with ot her knowl-
edge. As a general ru le, PIPA prohibits
personal data from being prov ided to any
third part y, including a foreign regulator,
Global Litigator
To continue reading
Request your trial