University of New South Wales Faculty of Law Research Series
Last Updated: 9 February 2012
Major changes in Asia Pacific data privacy laws: 2011 Survey
Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales
This paper was published at Privacy Laws & Business International Report, Issue 113: 1, 5-14, October 2011. This paper may also be referenced as  UNSWLRS 3.
Nearly a quarter of a century after data privacy laws (or as the Europeans say, ‘data protection’) first appeared in Asia and the Pacific, 2011 was a watershed year, with dramatic developments in the expansion of data protection laws in Asia. This article surveys data privacy legislation developments across Asia (from Japan to Pakistan, and from Mongolia to Indonesia), plus Australasia and the Pacific.
The highlights of these new developments are new data privacy laws in South Korea, Taiwan, Malaysia and India, privacy protections in Vietnam’s new consumer law, and reform proposals in Singapore, Hong Kong, Australia and New Zealand. Legislative action seems to parallel the accelerating scale of threats to privacy, typified by massive data breaches in country after country, but the causal relationship is beyond the scope of this article. The article analyses these development, and the state of play in other countries of the regions, by sub-regions, in order of where the most dramatic recent developments have taken place: South Asia; North Asia; Indo-China; Australasia and the Pacific. The emphasis is on developments over the last 18 months, but background on previous data privacy laws is provided. The article updates Greenleaf, G ‘Asia-Pacific Data Privacy: 2011, Year of Revolution?’ (2011) Kyung Hee Law Journal.
Nearly a quarter of a century after data privacy laws (or as the Europeans say, ‘data protection’) first appeared in Asia and the Pacific, 2011 is developing as a watershed year. Since the first version of this article in 2009 (‘Twenty-one years of Asia-Pacific data protection’ (2009) Privacy Laws & Business International Newsletter, Issue 100, 21-24) the period to October 2011 has seen more dramatic developments in the expansion of data protection laws in Asia than any previous period. Legislative action seems to parallel the accelerating scale of threats to privacy, typified by massive data breaches in country after country, but whether that is a causal relationship is beyond the scope of this article.
This article starts by surveying data privacy legislation developments across Asia (from Japan to Pakistan, and from Mongolia to Indonesia), plus Australasia and the Pacific. It does so by sub-regions: North(-East) Asia; the ASEAN countries (South-East); South Asia; and Australasia and the Pacific. Developments in the Americas, north and south, and West Asia (from Afghanistan westward) are separate stories not addressed here.
Two years ago there were seven jurisdictions in the region which had enacted data privacy laws (in chronological order of private sector coverage: New Zealand; Hong Kong; Taiwan; Australia; South Korea; Japan; Macau), and some were of limited scope (Greenleaf, 2009). Now they have been joined by India and Malaysia, but just as important is that South Korea and Taiwan have made major changes to expand and strengthen their laws. Australia and Hong Kong are in the process of so doing (just how major is still uncertain), and New Zealand has made significant changes in order to obtain an ‘adequacy’ rating from the EU. Even Singapore has promised a law, and China and Vietnam have introduced piecemeal protections.
Looking at data privacy legislation only gives part of the picture of privacy protection, because constitutional rights and general provisions of civil and criminal laws may also protect privacy, but that is not addressed here.
North(-East) Asia: change everywhere, except Japan
What do you call the group of countries influenced by Chinese cultural values and language comprised of China (including Hong Kong and Macau SARs), Taiwan, the Koreas, Japan and Mongolia? Some say ‘North Asia’ (as we will), scholars seems to favour ‘East Asia’, and we could compromise on ‘North-East Asia’ to distinguish ‘South East Asia’ and ASEAN. In North Asia almost all countries bordering the People’s Republic of China (PRC) have enacted or revised data privacy laws recently, including the two Special Administrative Regions of the PRC. If China ever goes in the same direction, North Asia will become the most ‘data privacy intensive’ region outside Europe.
South Korea – the new leader
Since the ‘June struggle’ democratic movement of 1987 South Korea has changed from authoritarian and undemocratic regimes to a liberal democracy. By 2005 it had the highest distribution rate of Internet broadband networks in the world. These factors have contributed to a society where South Koreans are very conscious of the potential abuses of government power, and of Internet issues, and demand that governments be concerned about privacy protection. Like Australia and Japan, it first introduced a data protection law covering its public sector, the Public Agency Data Protection Act of 1995. It is an Act enforced by the Ministry responsible for government administration, and an oversight body from within government, which are not generally considered to be active or effective. In the private sector, the legislation is to some extent sub-sectoral, with separate laws governing credit and medical information, but the Act on Promotion of Information and Communications Network Utilization and Information Protection of 2001 (often called the ‘Data Protection Act’) applies most generally to entities that process personal data for profit through telecommunication networks and computers. The 2001 Act was influenced strongly by the OECD Guidelines, but was strengthened beyond that in 2004 in relation to data breaches, data exports and other matters. The Personal Information Dispute Mediation Committee (PIDMC) mediates disputes concerning statutory privacy breaches by private sector bodies and provides financial compensation which is enforceable once the mediation is accepted. The PIDMC committees award compensatory damages in almost all cases where a breach of privacy provisions is found, usually even when they award correction or other remedies. Damages typically range from US$100 to US$10,000. The contrast with Hong Kong and most other jurisdictions is stark. The Korean Information Security Agency (KISA) receives over 17,000 complaints per year, and acts as the secretariat for the PIDMC. No significant self-regulation has occurred in South Korea, perhaps due to this effective enforcement.
Since 2004 there have been repeated but unsuccessful attempts in Korea to fuse the public and private sector provisions into a comprehensive data protection system with an independent supervisory agency, and they have finally borne fruit in 2011. A new Data Protection Act has been passed and promulgated (March 29, 2011), and will come into force on September 30, 2011. In the intervening six months, regulations and guidelines will be made. The most important changes in the new Act (Park and Greenleaf, 2011) demonstrate the innovative nature of the Korean reforms:
(i) All data processors, public and private, are regulated by the one Act, which completely replaces the previous public sector Act. Manually processed information is now covered. Korea, Taiwan and Macau are now the civil law jurisdictions in Asia with a single comprehensive data privacy law.
(ii) An independent Data Protection Commission (DPC) under the Presidential Office, composed of 15 members (including a chairperson and a standing commissioner) will deliberate on policy issues, laws and regulations, and investigate breaches of the Act and refer matters for prosecution. The PIDMC will now mediate both public and private sector disputes, and will come under the Commission administratively. The DPC will be the first independent national data protection authority (DPA) established in a civil law country in Asia.
(iii) Other new dispute resolution mechanisms are added. Collective mediation procedures may be used where there is widespread though minimal damages to data subjects. Representative lawsuits by consumer organisations will also be allowed, but only to seek injunctions against continuing activities infringing upon privacy subsequent to mandatory collective mediation procedures being invoked.
(iv) Collection and use of sensitive data, including universal identifiers like the resident registration number, will be prohibited without the specific consent of data subjects or authorization by law (which will have a major effect on Korean websites).
(v) Notification to data subjects of the source of personal data (other than themselves) will be required. Companies conducting marketing based on their own databases will now be required to obtain the data subjects' explicit consent.
(vi) Data subjects shall be notified of the option of refusing consent to collection or processing, and Korea’s unique ‘no disadvantage in case of refusal’ rule is continued.
(vii) Data breach notification to the affected data subjects will be compulsory, while significant data breaches must be reported to the DPC. Data processors must take efforts to minimize the effects of breaches.
(viii) Privacy Impact Assessments (PIAs) will be required in case of potential danger to data protection in the public sector, but only encouraged in the private sector.
(ix) CCTV may be installed in public places only for the purpose of prevention of crime, thus extending data protection into the regulation of surveillance.
South Korea’s new law may now be the theoretical benchmark for strong data protection in Asia, but this is subject to it being tested in practice to see if it delivers what it promises.
Taiwan – second time better
Taiwan’s Computer Processed Personal Data Protection Act was enacted in 1995, influenced by the OECD privacy Guidelines. It had limited coverage, dealing generally with the public sector but only eight specified private sector areas. There was no single oversight body, enforcement being left to the Ministries responsible for each industry sector. Evidence of the enforcement or effectiveness of the Act is lacking, but commentators were of the opinion that the Act is ineffective.
Taiwan’s new Personal Data Protection Act enacted 26 May 2010 is in effect a new piece of legislation. It will not be brought into force until late 2011 or early 2012 when the Enforcement Rules are completed. The Act is comprehensive in relation to both public and private sectors, and thus much more extensive than the previous Act in relation to the private sector. The revised Act still has no single oversight body, and does not create a data protection authority. Enforcement is left to the Ministries responsible for each industry sector. The obligations imposed by the Act have been considerably expanded, particularly those in relation to notice, and to sensitive data. Data exports (‘international transmission’) by private organisations (‘non-public agencies’) may be restricted by ‘the central competent authority for the relevant industry’ (A 21), but this is not an automatic prohibition on exports. The Act has the first example of an enforceable requirement to notify data subjects (but not the relevant authority) of data breaches in Asian data protection legislation, but it does not apply to all ‘data breaches’, only to those where the company or government agency has breached a provision of the Act. Contraventions of the Act, where damage is caused to another person, can be punished by imprisonment up to two years or substantial fines. Potentially more important are the extensive provisions for damages actions, and for class action litigation (where ‘the rights of multiple subjects are injured by the same causal facts’) by representative organisations which have objectives of protecting personal data. While not as innovative as Korea’s new law, this Act does bring Taiwan up to most aspects of international standards (Greenleaf 2010, 2011b).
The Taiwan government is also proposing to implement a trustmark system, the ‘Taiwan Personal Information Protection and Administration System’ (TPIPAS), the Ministry of Economic Affairs announced on May 27 2011. Under the TPIPAS, public and private institutions that prove they have met the standards required by the Act will be issued a Data Privacy Protection Mark (Hsu, 2011). This may be a system closer to the German model of a trustmark supervised by a DPA, rather than one supervised by private sector bodies (as in Japan and the US).
Hong Kong – refurbishing the old regime
In 1995 the colonial government of Hong Kong enacted the Personal Data (Privacy) Ordinance (1995), which covered both the public and private sectors, the first data protection law in Asia. With the ‘handover’ to China in 1997 the Hong Kong SAR became the first region of the PRC with a data protection law. Six Data Protection Principles are broadly consistent with the OECD privacy Guidelines, but are stronger in some important respects. The main problem with the Ordinance is that there is no provision for the Privacy Commissioner or the Administrative Appeals Board (to whom his decisions can be appealed) to award any compensation or other remedies to complainants, or to penalise organisations for breaches unless they persist with breaches. A provision allowing Courts to award compensation is unused, probably due to the expense and publicity involved, so the Ordinance suffers from under-enforcement. As a result, chronic data spills go unpunished, and complainants go uncompensated (Greenleaf 2010a, 2010c).
In July 2011 Hong Kong’s government put forward a Bill to amend the Ordinance. It does not include the extensive strengthening advocated by the Privacy Commissioner, but does propose modest improvements. Companies will always have to give individuals notice that they intend to sell their personal data, or even use it for their own marketing, but will still be allowed to do so unless the individual exercises an ‘opt out’ right. The Commissioner will now be able to order organisations to remedy contraventions of the Ordinance. Compensation proceedings will now be moved to a lower court, which may reduce the deterrent effect of the risk expensive court costs but will not remove them, and the Commissioner will be empowered to assist litigants. For the first time, the Commissioner will also be empowered to assist parties to reach a settlement or compromise. It is possible that the Bill may be strengthened by the legislature (LegCo), because of the extent of public disquiet over the data breach scandals involving police and hospitals, and data sales scandals involving data from the Octopus transit card, banks and telcos.
In the absence of any other useful deterrent sanctions in the current Ordinance, the Commissioner announced (June 2011) that he will ‘name and shame’ any organisation (company or agency) he finds has breached the Ordinance, whether or not they have discontinued the practice or made amends.
Macau – the new Euro-model
The Macau SAR has potentially one of the strongest data privacy laws in Asia, albeit from one of the smallest jurisdictions. The Personal Data Protection Act is very similar to Portugal’s legislation in most respects (though also influenced by Hong Kong’s Ordinance). As a result it is closer to the EU Data Protection Directive of 1995 than any other data protection legislation in Asia. Macao’s position as a region of the PRC makes this doubly interesting. The Office for Personal Data Protection (OPDP) has administered the Act since 2007, and has very extensive powers (Greenleaf 2009a). It has now issued three fines for contraventions of the Act (July 2009 and May 2011), against a government agency for disproportionate disclosure when providing all of the details of a person’s ID card to a mediation party who needed to locate them; against a bank for failing to observe a direct marketing opt-out; and against an individual decorating contractor for disproportionate disclosure of personal data. Perhaps more significantly, it intervened to cause the suspension of the use of mobile traffic surveillance cameras by the Traffic Services Bureau and the Public Security Police because it lacked legitimacy, in that the use might involve the collection and processing of sensitive data outside the sphere of public roads. The reasoning and the results are very European.
Japan – the illusion of privacy
Japan has had an Act on the Protection of Personal Information Held by Administrative Organs governing public sector data since 1988. It was strengthened to cover paper-based files and penalties for disclosures in 2003. The Act on the Protection of Personal Information provided the first coverage of the private sector in 2003. There are confusing exemptions for ‘small businesses’ based on the number of persons covered by their databases, for the media and others. The OECD-influenced principles in the 2003 Act are unexceptional, but their meaning is to a large extent determined by 24 different sets of Ministry guidelines aimed at different sectors. There is no central enforcement body. The Act has been held not to create a private right of action before the Courts, so complainants are left to the mercy of enforcement and mediation by relevant Ministries. There is no evidence of effective Ministerial supervision. Although consumer centres and government receive over 12,000 complaints per year, only a handful of complaint summaries are published (Shimpo and Greenleaf, 2011), and evidence of the Act’s effectiveness is lacking. The Act provides a formal role for ‘authorized personal information protection organizations’ (APIPO) to help resolve complaints in some way, but how they do this is obscure. The effect of the self-regulatory PrivacyMark system is equally enigmatic. In summary, it is possible that Japan’s legislation is observed by many companies and agencies, simply because it is the law, but there is no evidence at all that the law is ever enforced or that anyone ever obtains any remedies because of breaches (Greenleaf, 2010d). Japan’s Consumer Affairs Agency has taken lead responsibility for the law since 2009, but it is a miniscule part of what they do; they are powerless and only seem to regard ‘dissemination and awareness building’ as their role; and no obvious changes have yet resulted. Japan has one of the weakest data privacy laws in Asia, and there are no signs of change.
China – the Warring States period
In China data privacy laws have for the last five years been in what could be called the ‘Warring States’ period. In Chinese history, the Warring States Period from the early 5th century BC ended with the unification of China by Qin emperor in 221 BC, Now, the states in question are the many fiefdoms in the labyrinthine bureaucracies of the PRC, who cannot reach consensus on how data privacy should be regulated, and where a unified response still seems a long way off. In 2006-7, an EU-style draft Personal Information Protection Act drafted at the Institute of Law at the Chinese Academy of Social Sciences was under consideration, covering both the private and public sectors, but this no longer seems to be favoured (Greenleaf 2008, 2008a). The Informatics Committee of the State Council which was considering it has been abolished. China has no national civil law specifically protecting personal information, but some local governments are now enacting partial provisions. The Seventh Amendment to the Criminal Law of the PRC (February 2009) criminalises a wide range of disclosures of personal information and the obtaining of same, and is the first time that personal information has been directly protected by the criminal law in China. The PRC Tort Liability Law, which came into force in July 2010 includes a right to privacy (隐私权) in its list of protected ‘civil rights and interests’, but without defining further what is meant. This seems to mean that data privacy violations are a tort, but case law will be needed to clarify this. Data privacy provisions have also been included in sectoral laws and guidelines in 2009/10 the fields of money laundering, medical records, insurance, consumer protection and credit reporting (Hunton & Williams, 2011). Various Provinces have also enacted local data privacy codes, particularly in consumer law. The most recent development is that in February 2011 the Ministry of Industry and Information Technology (MIIT) Standardization Administration of China (SAC) issued draft ‘Guidelines for Personal Information Protection’, which are only intended as a non-enforceable standard, but also contain very strict ‘guidelines’ concerning data exports. A State Internet Information Office parallel to the State Council Information Office has also been established, perhaps indicating an intention of tighter Internet control (May 2011). These initiatives are piecemeal and incoherent. If they are eventually replaced by a national extension of data privacy rights in China, this is likely to have a strong influence throughout North Asia and the whole region. But at present it is jurisdictions like India, South Korea and Taiwan that are setting the benchmarks while China shows no leadership, only confusion.
Mongolia and North Korea – unique contrasts
We can complete the north Asian picture with its two northernmost states. Mongolia, previously a brutal communist dictatorship but now a parliamentary democracy with a substantial free market, has taken a unique route, adopting a Law on Personal Secrecy (1995) and Law on Personal Secrecy (Privacy Law), affecting laws covering various types of personal information and creating a right to sue for breaches, and regulate exceptions. There is training for officials, including taking of an oath. The effectiveness of the laws is not known.
North Korea, the world’s only hereditary communist monarchy, is a state based upon continuing surveillance of its population by the state apparatus, and savage repression of any dissent. No privacy rights are respected. There is no reason to expect any reform of this aspect of the regime, because that would be the end of it.
ASEAN potential (Indo-China, Indonesia and the Philippines)
The next stage of development of data protection legislation may come from the ten member states of ASEAN (Association of South East Asian Nations), but it has not yet happened: this is still the region of little but promises. Malaysia is the first to enact a private sector law, but after two years it is not in force, and Singapore has announced its intention to introduce a private sector Bill in 2012. Others have official drafts of legislation (Thailand, Philippines, and Indonesia), but show little evidence of progress, and others have piecemeal legislation.
ASEAN is important because ‘the ten Member Countries of ASEAN have a combined population of 575 million and a combined GDP of $US 1.8 trillion, making it one of the largest and most integrated regional organisations outside Europe’, and ASEAN ‘does have a history of the successful harmonisation of laws – something that is absent in APEC’ (Connolly, 2008). Unlike SAARC countries, ASEAN member countries have made a commitment to develop ‘best practices / guidelines’ on data protection by 2015, as part of their commitment to establish an integrated ASEAN Economic Community (AEC) by 2015. Although this falls short of a commitment to legislate on data protection, it is quite possible that there will be efforts to legislate by 2015 in some of the countries.
Malaysia – sleep until necessary
Current privacy protections in Malaysia are not significant, and Malaysian Ministers monotonously proposed to introduce comprehensive data protection legislation since 1998. In 2010, they finally did so, and enacted it quickly, but there the story stops. The Personal Data Protection Act 2010 was passed in April 2010 but is not yet in force. They have now announced they will establish a new department under the Information Communication and Culture Ministry to oversee the implementation of the Act, not to be brought into force until 2012 (Bernama.com, June 2011). It seems they are delaying as long as possible while appearing to do something. The Act will apply broadly to the business sector but not to non-business parts of the private sector, nor to government. The Personal Data Protection Commissioner required under the Act has not yet been appointed. The Commissioner when appointed, will not meet the international Data Protection Commissioners accreditation requirements concerning independence because he or she can be dismissed by the Minister without reasons, and the Minister may also give the Commissioner general directions consistent with the Act (Greenleaf 2010f; Munir and Yassin 2010, 219-20). The seven Personal Data Protection Principles (General; Notice and Choice; Disclosure; Security; Retention; Data Integrity; and Access), and additional rights to withdraw consent for processing and otherwise prevent processing for direct marketing are influenced strongly by the EU Data Protection Directive rather than by the OECD Guidelines or APEC Framework. The EU-style starting point is that processing of personal data (including collection) requires consent (s6), subject to many exceptions. Personal data may not be transferred outside Malaysia unless the destination is on a ‘whitelist’ specified by the Minister, after receiving the Commissioner’s advice, on the basis that the destination provides protection ‘at least equivalent’ to Malaysia. But it then provides far too wide a range of other exceptions by which to justify data exports, undermining the apparent restriction. The enforcement provisions in the Malaysian Act have borrowed all the serious flaws of the Hong Kong Ordinance, but worse in that there is not even the theoretical possibility of going to court to seek damages. Whereas the Japanese law is very difficult for anyone to understand, the flaws in this legislation are apparent to a casual glance.
Singapore – Low principles, many gaps likely
Singapore is one of the very few developed countries without data privacy legislation. Singapore’s Model Data Protection Code (2002) is an industry-based self-regulatory code with no known effect. In February 2011 the government announced it had finally completed a study of data protection regimes and expects to introduce a data protection Bill to Parliament in early 2012, and in September 2011 it released a Consultation Paper (Singapore, 2011). Further consultations are intended before enactment, but comments on the Consultation Paper are required by 25 October. The Bill will have a single ‘sunrise’ period before all its provisions come into force. Will this result in some further years of foot-dragging before an Act is in force, as in Malaysia? The Bill will not cover the government sector (as in Malaysia), which it says is ‘governed by an existing DP framework’, although this provides no legal rights against the government. The Discussion paper says the Bill will be based on the principles of the Model Code, which was derived from the OECD Guidelines but will also be influenced by legislation in the EU, UK, HK, Canada and NZ, and the APEC Privacy Framework. It will also take account of increasingly stringent provisions such as ‘Do Not Track’ proposals ‘by providing for the flexibility to comply with higher DP standards via an opt-in basis, if there is industry demand’. This is a novel, if amusing, approach: a law with all sorts of strong principles that in default will apply to no industry sectors. ‘Sectoral regulators may apply to the DPC to exempt their licensees from specific requirements under the general DP law where necessary.’ Depending on how these last two aspects are implemented, the Singapore legislation could end up looking like Swiss cheese, and made on a very low fat base.
The most likely shape of the legislation is as follows, given the preferences expressed in the Discussion Paper. It will apply to identifiable persons, whether alive or deceased (possibly, for up to 20 years). There will be special protection for some forms of sensitive data. There is not likely to be a ‘small business’ exemption. It is unlikely to cover businesses which do not have a presence in Singapore even if they collect data there. There will be exemptions for actions in a personal or domestic capacity; news organisations and news activities; and perhaps for artistic or literary purposes. Some form of ‘accountability’ approach to data exports is proposed, rather than a ‘border control’ approach. Normal security, access and correction rules are proposed, except that organisations will be allowed to recoup reasonable access costs, with no apparent limits. The law will be ‘based on consent, purpose and reasonableness. An organisation may only collect, use or disclose personal data with the individual’s consent, or where consent is deemed to be given under the DP Act, and for a reasonable purpose which the organisation has disclosed to the individual before collecting the data’ (Singapore, 2011). Opt-out approaches are under consideration. Proposed rules concerning limits on collection, use and disclosure are in line with the OECD Guidelines. Deletion or de-identification of data will be required once the organisation’s uses of the data are complete.
The legislation will also provide for a Data Protection Commission (DPC) and an Appeals Board, and its decisions will be open to judicial review. The DPC will have powers to issue orders for an organisation to rectify non-compliance with the DP law, and require the organisation to pay, within a specified period, a financial penalty of such amount not exceeding S$1 million (around US$1 million). There is no mention of a right of individuals to obtain compensation, only that the DPC might be able to stop penalty proceedings if a complaint is settled privately. Singapore is also considering a national ‘Do Not Call’ Registry.
It seems that Singapore proposes to develop the most minimal version of a ‘normal’ data privacy law, one at the more conservative and less protective end of the spectrum: it will not cover the public sector; its more onerous principles will be ‘opt-in’ by industry sectors; even some of the basic principles may be ‘opt-out’ for industry sectors (with DPC permission); and individuals will have no enforceable rights. But it will still be better than nothing.
Vietnam – consumers protected on the OECD model
Vietnam is still a communist state but one with a thriving private sector, and is the first such state to enact something close to comprehensive data privacy law for the private sector (none have for the public sector). Vietnam’s National Assembly passed a new Law on Protection of Consumers’ Rights on November 17, 2010, which took effect on July 1, 2011 (Vietnam, 2010), replacing the 1999 Ordinance on Protection of Consumers Rights. Its provisions strengthen consumers’ rights, include those on the use, collection and transfer of consumer information, in a brief but broad data privacy code. The scope of terms such as ‘personal information’ and ‘consent’ is not defined in this law, but other laws shed some light on their meaning. The new law expands those obligations in regard to all consumers, not just in the context of e-transactions (as was the case with earlier laws), but does not change the substance of those obligations (Baker & McKenzie, 2010).
Business entitles ‘trading goods and/or services’ (including individual traders) will have to satisfy the requirements of Article 6 ‘Protection of consumer information’. This includes a general confidentiality and security obligation (with a broad exemption for state agencies): ‘Consumers’ information shall be kept safe and confidential when they participate in transactions, use of goods or services, except where competent state agencies required the information’. It also includes five more specific obligations concerning the collection, use and transfer of consumer information’: ‘a) Notify clearly and openly the consumer of the purpose of the collection and use of consumer information before such activities being done; b) Use information in conformity with the purpose informed to consumers, and with the consent by the consumers; c) Ensure safety, accuracy, completeness during collection, use and transfer of consumer information; d) Update or adjust by themselves or help consumers to update and adjust as the information is found to be incorrect; e) Only transfer consumer information to third parties upon the consent of consumers, except where otherwise provided by law’.
There are some other provisions in the law which could also be valuable for privacy protection, including Article 10 (‘Prohibited behaviours’) which includes (1) ‘Attempt of organizations or individuals trading goods and/or services in deceiving or misleading consumers via advertising activities, or hide or provide information that is incomplete, false or inaccurate about one of the following details: ...c) The contents and characteristics of transaction between consumers and organizations or individuals trading goods and/or services’; and (2) ‘Organizations or individuals trading goods and/or services harasses consumers through the marketing of goods and/or services contrary to the wishes of consumers 02 or more times or other acts that obstruct or affect normal works or activities of consumers’. Direct marketing in Vietnam could be significantly affected by these provisions.
These principles have been quoted in full to show that they are very close to an OECD statement of principles (even though Vietnam is not a member of the OECD), and perhaps even more restrictive in relation to disclosures. For example, there are no principles dealing the destruction/de-identification after use, or sensitive data which are common in ‘European-influenced’ data privacy laws. On the other hand, nor do they share the unusual features of the APEC privacy principles not found in other sets of international principles (‘Harm’, ‘Consent’ and for data exports ‘Accountability’ principles). They are perhaps the closest to a pure set of OECD privacy principles yet seen.
The new law requires disputes be settled through negotiation, conciliation, arbitration, or court adjudication, and there are short provisions setting out the basic rules for each type of resolution. Social organizations involved in consumer protection can represent complainants, or individuals can act for themselves (Chapter 4, Consumer Protection Law) (Baker & McKenzie, 2011). However ‘[n]o negotiation or mediation is permitted in case of disputes causing damage to the interests of the State, the interests of many consumers, the public interest’ (Article 30(2)). ‘The Law does not specifically prescribe administrative sanctions and criminal penalties in case of breach to the Law. Generally, the Law only states that depending on the nature and seriousness of the breach, whoever breaches the Law shall be subject to an administrative sanction or criminal prosecution and must pay compensation in accordance with law for any loss or damage caused’ (Baker & McKenzie, 2011, interpreting Article 11).
The law does not establish specialist agency for privacy issues (a DPA), but nor do the laws of Taiwan, Japan or India. However, the Ministry of Trade and Industry is accountable for implementing the state administration on the protection of consumers’ interests (Article 47(1)), there is not a dispersal of obligations among many Ministries as in Japan and Taiwan. The Ministry is given many of the responsibilities that would normally fall on a DPA, but not a function of resolving individual complaints. Chapter III sets out the roles of ‘Social organizations to protect consumers’ interests’ (ie ‘consumer NGOs’), including ‘[t]aking legal action on behalf of consumers or taking legal action by virtue of the public interests’. The government can issue further guidelines or regulations under the law but has not done so as yet. Whether the data privacy aspects of the law will receive serious enforcement remains to be seen.
It is not clear whether Vietnam will attempt to develop a separate data privacy law, or whether the provisions in the Consumer Protection law are intended to be comprehensive for the private sector. As with Malaysia and Singapore, this is an ASEAN region law covering only the private sector. On paper, it has to be considered a serious data privacy law which, as in India, is embedded within a law of broader ambit.
The Philippines – another new Bill
The Philippines has little legislation as yet. The Electronic Commerce Act (2000) sets a general principle that businesses should give users choice in relation to privacy, confidentiality and where appropriate, anonymity, but it and a set of government guidelines have had little effect. The Supreme Court adopted in 2008 as a rule of Court, a Rule on the Writ of Habeas Data which has potential to protect privacy but has not yet been used.
An EU-influenced Data Privacy Bill with reasonably strong enforcement powers and a Commissioner has been before the Philippines Congress since 2009 (Parlade, 2009). The Data Privacy bill was among three non-fiscal bills filed in the 14th Congress but not passed. The Joint Foreign Chambers of commerce and the business processing outsourcing industry in the Philippines have warned that its lack of legislation on data privacy is a growing cause of concern for prospective investors and a substantial hindrance to the development of the outsourcing sector in the Philippines (Cahiles-Magkilat, 2011).
In July 2011 the House of Representatives passed the Data Privacy Act of 2011 (HB 4115). On 22 September 2011 Senator Angara, chair of the Senate Committee on Science and Technology, introduced in the Senate a version of the Data Privacy Bill, part of a trio of measures supported by the IT and business process outsourcing (BPO) industry who are facing compliance pressures from overseas clients. It is said to be influenced by the APEC Privacy Framework, and includes a National Privacy Commission.
Thailand – public sector only as yet
Thailand is the odd one out in ASEAN, with its Official Information Act 1997 provides basic but incomplete data protection in relation to government agencies. It set up a 32-person Official Information Commission (OIC) and a secretariat which serves it. As well as being a freedom of information Act, it also limits personal data collection and its retention, limits disclosures, requires security, and provides access and correction rights. It is, in effect, an information privacy law in relation to the public sector. There are a number of Bills proposing coverage of the private sector, and a privacy Commissioner, but none have been successful, partly due to the political turmoil in Thailand in recent years. The most recent Personal Data Protection Bill proposes a Personal Data Protection Board, and as well as a detailed data protection code includes features such as a registration system and a certification scheme (Duncan 2011). The incoming Cabinet of new Prime Minister Yingluck Shinawatra did not include this Bill in its legislative programme by the August 29 deadline, but the existing Bill (which had been approved by the previous Cabinet) is apparently the basis for reconsideration by the new government.
The rest of ASEAN – mixed prospects
Indonesia’s Law on Information and Electronic Transaction (2008) provides a very broad right to compensation for misuse of personal data by electronic media, but is too new to be of significance yet. A draft Bill has been prepared, influenced by the OECD Guidelines and other international instruments but is not yet public (Sinta Dewi 2009), and after three years has not reached the government’s legislative agenda. In contrast, the national ID Card Program was launched in 2010 and is being implemented across Indonesia by the Department of Home Affairs. Indonesia has both a thriving private sector and an increasingly robust democracy, so there is more prospect of data privacy developments there in either of those sectors than in the remaining ASEAN countries.
No privacy developments are known in the remaining ASEAN countries of Myanmar, Cambodia, Laos, Timor Leste, and Brunei. None of these are countries with thriving commercial sectors, nor democratic institutions (except for Timor Leste), so the indicators for data privacy laws are not strong. Whether there will be any developments by the 2015 ASEAN ‘deadline’ is an open question. If Timor Leste legislates, it will be likely to be as a result of the influence of other lusophone (Portuguese-speaking countries).
South Asia: India, outsourcing, and ‘adequacy’
Two years ago I described South Asia as the ‘final frontier’ for data protection in Asia (Greenleaf, 2009), but noted ‘the situation there is capable of rapid change’ if ‘commercial pressure from Europe’ is applied, and this seems to be the case with India. However, unlike North Asia where data privacy developments are occurring in all countries, in South Asia India is ‘going it alone’ as yet.
India – Confusion Raj
India sought an ‘adequacy assessment’ from the EU in 2009/10 (no outcome has been announced), so it is clearly desirous of a favourable view from Europe, to ease compliance burdens in relation to outsourcing. At that time it had no significant data protections laws in force. The Information Technology Act 2000 covered little of significance to data privacy, and amendments to it in 2008 which could create remedies for disclosure of ‘sensitive’ information depended on Rules yet to be made. The Credit Information Companies (Regulation) Act 2005 is a potentially significant comprehensive credit reporting code, but it is still being brought into effect by the Reserve Bank of India. There was no evidence of any effective self-regulation. An unknown factor is whether India’s Supreme Court might develop the constitutional protection of privacy in such a way that it forces the government to enact a law to provide data protection, as it did in requiring right to information legislation. Therefore, as of 2010, the only effective aspect of data protection in India (Greenleaf, 2011a) was the right of access to personal information held by any public body in India, under the Right to Information Act 2005, which is actively enforced and has already generated a large body of case law.
Six months later, the situation is quite different. India has implemented an extensive data privacy regime (limited to the private sector) through Rules made under s43A of the IT Act (as amended in 2008), which deals with negligence in providing and ‘maintaining reasonable security practices’ (April 2011). The essence of India’s data protection scheme seems to be that the Rules made under s43A comprise part of the obligations on companies to both have in place and to implement a comprehensive information security programme (Greenleaf 2011). Whether the whole s43A scheme is ultra vires, or even unconstitutional, may eventually be tested by the Courts, but for now it is the law. The Rules then set out a conventional set of data protection principles with an OECD flavour. The Rules also provide data export limitations, requiring that an overseas recipient ‘ensures the same level of data protection’ as provided by the Rules, plus exceptions for consent and contracts. They also attempt to control what use foreign recipients make of data from India when they use it in their own countries, an innovation sure to annoy those opposed to effective data protection. Enforcement of complaints is through a special system of investigation by Adjudicating Officers, with a right of appeal to the Cyber Appellate Tribunal (CAT). There is no limitation imposed on the compensation that can be awarded under s43A by a CAT, but it cannot provide any other remedies. The whole system is as yet untested, but has the appearance of a serious data privacy regime, except for the absence of a DPA. In August 2011 the relevant Ministry seemed to panic about what it had done with these Rules, and issued a ‘Press Note’ which purported to ‘clarify’ them to the effect that they did not apply to companies in India and overseas involved in outsourcing relationships. The interpretations in the ‘Press Note’ attempt to defy the meaning of the words in the Rules and the legislation, and are best ignored.
That absence will be remedied if a draft Bill being formulated by the government becomes a law. The draft Privacy Bill, 2011 (India Legislative Department, 2011) will create a three person Data Protection Authority of India (DPAI). The Bill will also create a statutory right of privacy (another first for the Asia-Pacific), open-ended in its definition but including rights of confidentiality, freedom from surveillance, and protection of personal data (possibly including the specific rights under the s43A Rules system). The Bill also sets out a detailed data privacy code, somewhat different from that under the s43A Rules. The DPAI will have very extensive functions, including keeping a register of data controllers (a step out of keeping with all other Asia-Pacific laws), and strong powers to investigate the actions of any data controller and issue directions to them. Individuals will be able to lodge complaints against data controllers with the CAT, which would be empowered to make any orders it thinks fit including compensation. A bizarre aspect of the Bill, for a country seeking an EU adequacy finding, is that it limits its protection to Indian citizens. The Bill is very complex, including detailed controls on surveillance as well, but only a draft as yet, and will undoubtedly be modified very considerably before it progresses. But if it goes ahead in anything like this version, India may get one of the stronger Asia-Pacific privacy regimes.
The rest of the SAARC – resting
In the rest of the SAARC (South Asian Area of Regional Cooperation), comprising Pakistan, Bangladesh, Sri Lanka, Nepal, Maldives, and Bhutan, there are no signs of data protection developments, but plenty of developments in ID cards and other surveillance systems. However, both civil society and business organisations are starting to call for data privacy laws, in Bangladesh, Nepal, Sri Lanka, the Maldives.
Regional agreements are unlikely to be a factor, as SAARC has shown little interest in privacy. It is possible that the rapid developments in India may spark changes in its neighbours as well, both because they compete with India for outsourcing work, and because India’s new law may prevent exports of personal data to them as well.
Australasia and the Pacific
Australia and New Zealand were two of the earliest countries in the region to develop data protection laws, and their law have had some influence on others in the region. In recent years weaknesses in the Australian law have become apparent, whereas the strength of the New Zealand law has been sufficient for it to (soon) receive the region’s first ‘adequacy’ assessment from the EU.
New Zealand – ‘Best in show’ to be improved further
New Zealand’s Privacy Act 1993 was the region’s first comprehensive law governing both public and private sectors and establishing the office of Privacy Commissioner. Its twelve information privacy principles (IPPs) are substantially based upon on the OECD Guidelines with some Australian influences. It is probably the most effectively enforced law in the region. Most of the approximately 650 complaints per year received by the Commissioner are closed within the year of receipt, many resulting in agreed settlements. However, around twenty per year are referred to the Human Rights Review Tribunal (HRRT), which has powers to make enforceable orders and often does so. The highest damages awarded has been NZ$40,000, followed by NZ$20,000. There are numerous damages awards for wrongly collecting information, poor security safeguards, wrongly denying access, holding inaccurate information on a database, and wrongful disclosure of information. There are rights of appeal to the High Court, which has heard twenty three such cases, and to the Court of Appeal which has heard one case. As a result of around 200 such HRRT and Court decisions, New Zealand has a rich body of privacy law, and an Act where complainants and respondents alike can understand the consequences of breaches. In 2010 New Zealand remedied the weakest aspect of its law, the lack of a data export restriction, but (as with Taiwan) it is the softest form of restriction, requiring the Commissioner to take discretionary action to prohibit an export.
However, the improved Act, despite some other departures from EU standards, was good enough for the EU’s Article 29 Working Party to consider that New Zealand’s data privacy protection should be considered ‘adequate’ (March 2011), and a formal adequacy finding by the EU will now almost certainly follow. A contributing reason was that New Zealand is a long way from Europe, is not significantly involved in outsourced processing of the data of EU citizens, and its laws are likely to have few other effects on Europeans (Greenleaf and Bygrave 2011).
NZ’s Law Commission August 2011 Review of the Privacy Act 1993 contains over 100 recommendations. It recommends two new powers for the Privacy Commissioner: (i) the power to issue breach notices, requiring rectification (as in Hong Kong and many other jurisdictions; and (ii) powers to require an audit. Data breach notification should be mandatory in cases where notification will enable people to take steps to mitigate a risk of significant harm, or where the breach is a serious one (for example, because the information is particularly sensitive). Notification should be made to the individual whose information has been compromised, and also to the Office of the Privacy Commissioner. To streamline the complaints process, the Privacy Commissioner should be able to decide whether to bring proceedings in the Human Rights Review Tribunal, and should be able to make binding decisions on “access” complaints. The Act should provide more clearly for representative complaints. The current exemptions for ‘personal or domestic affairs’ should be limited if the collection, use or disclosure of information would be ‘highly offensive’. It is interesting that a country that does have a ‘public disclosure of private facts’ type of ‘privacy tort’ is also proposing to use a data privacy law in this way. Stronger exemptions in relation to health and safety are proposed. The Law Commission does not recommend an opt-out right in relation to direct marketing, and considers that if a Do Not Call register is considered, it should be part of consumer law, thus leaving NZ still imposing no direct legal controls over direct marketing.
The Law Commission thinks that a new mechanism is needed in the Act for information sharing between government agencies: they should be drawn up as agreed programmes; go through a process of consultation, including with the Privacy Commissioner; be approved by Cabinet; and be subject to review by Parliament. Approval by the Commissioner is not required.
NZ currently has very limited controls on data exports (see above). The Law Commission recommends that where a New Zealand organisation sends personal information offshore to be stored or processed on its behalf, the agency should remain fully responsible for what happens to that information. But where it otherwise discloses information, the discloser should be required to take reasonable steps to ensure that the information will be subject to acceptable privacy standards. This is a version of the ‘accountability’ approach.
These reforms will strengthen what is already arguable the best data privacy law in Asia in the reality of its implementation, although the data export proposal is perhaps not the best option possible.
Australia – comatose at most levels
Australia’s Privacy Act 1988 (Cth) only covered its federal public sector, but was the first law in the region to enact a full set of Information Privacy Principles (IPPs), based on the OECD Guidelines, and establishing an office of Privacy Commissioner. The Act was expanded in 1991 to cover credit reporting, and finally in 2001 to include the private sector, but with notable very large exceptions for employment records, for so-called 'small business operators' (defined broadly enough to exempt about 90% of all Australian businesses), political activities and media activities. The Act has relatively strong enforcement provisions, but a series of Privacy Commissioners have been unwilling to use them. When combined with the absence of any provisions for complainants to appeal to the Courts, this has resulted in only a handful of ‘determinations’ by the Commissioner, and one significant Court decision, after twenty-three years. So Australia’s federal privacy law is still largely unknown territory, and some agencies and companies may well treat its more difficult provisions as optional in the absence of any evidence of enforcement. Almost all of Australia’s States and Territories now have data protection laws for their public sectors, some with more effective enforcement through administrative Tribunals.
An unusual provision in the Privacy Act (s98) allowing any party to go directly to the Federal Court (bypassing the Privacy Commissioner), but only to obtain an injunction against breach of one of the Principles, has received its second use in over 20 years. An applicant for ‘silk’ (appointment as Senior Counsel) successfully obtained an injunction to prevent the NSW Bar Association from announcing the results of his application until he was able to access the information on which the decision was to be made (while preserving the anonymity of those commenting on his application) in order for him to see whether any of it was erroneous and if so to decide whether he would further challenge it under the Act (Smallbone v New South Wales Bar Association  FCA 1145).
The Australian Law Reform Commission commenced a review of the Privacy Act in 2006, and the first part of a very weak government Bill to reform it (dealing with principles) is now under consideration by Parliament, with a Senate report on the Bill suggesting few improvements (May 2011). The part of the Bill dealing with the enforcement deficiencies of the Act has not even reached Parliament after five years. However, the government has moved forward consideration of a statutory privacy action, taking advantage of the current controversies in the UK and elsewhere concerning the media and privacy, and has released (yet another) issues paper (Australian Government 2011). At this stage there is little reason to expect significant improvements to Australia’s performance in privacy protection. An imperfect but usable Act has been made largely redundant by lacklustre administration that has failed to create anything resembling responsive regulation.
PNG and the Pacific – nothing yet
There are no known data privacy developments in Papua New Guinea, or the many countries in the Pacific Islands.
A watershed year?
From the survey in this paper we can see that the past year has delivered significant changes in many countries in the region: a startling new adoption of data privacy law in India, soon to be the world’s most populous country, with promise of more to come; much stronger new laws in South Korea and Taiwan, containing new elements for regional laws; new legislation in Vietnam and in Malaysia, and promises of such across the Straits in Singapore; new approaches to enforcement in Macao and Hong Kong (and a Bill for stronger laws); the region’s first ‘adequacy’ assessment a step closer in New Zealand; Bills for new Acts in Parliament in the Philippines and possibly still in Thailand; reform Bills progressing at snail-pace in Australia; consumer protection provisions in Vietnam; and in China (last but not least) new tort provisions, and somewhat confusing draft ‘standards’.
A reasonable conclusion is that data privacy laws have ‘come to stay’ across the Asia-Pacific, although in many different forms. Their gradual spread to other Asian jurisdictions now appears to be inexorable, and also to involve periodic significant strengthening of those laws that already exist. Furthermore, a weak model of data protection (such as could have been derived from the APEC Privacy Framework) is not the general pattern, with jurisdictions such as South Korea, Taiwan, Macao and (to a lesser extent) Malaysia and India demonstrating strong and often innovative provisions and strong ‘European’ influences. 2011 may in hindsight be recognised as a watershed year for data protection in Asia.
Acknowledgments: The assistance is acknowledged of Robin McLeish (Hong Kong), Don Harris (Philippines), Whon-il Park (South Korea), David Duncan (Tilleke & Gibbins, Thailand) and Patrick Gunning (Mallesons, Australia). An earlier version of this article is in the Kyung Hee Law Journal, Seoul.
APEC (Asia Pacific Economic Cooperation) (2005) APEC Privacy Framework, available at <http://publications.apec.org/publication-detail.php?pub_id=390>
Australian Government (2011) Statutory Cause of Action for Serious Invasion of Privacy Issues Paper, at <http://www.dpmc.gov.au/privacy/causeofaction/>
Australian Senate (2011) Report on Privacy Amendment Legislation <http://www.aph.gov.au/senate/committee/fapa_ctte/priv_exp_drafts/report_part1/index.htm>
Baker & McKenzie (2011) ‘Consumer Protection Law’ Client Alert, January 2011
Baker & McKenzie (2010) ‘Vietnam’s New Consumer Protection Law Consolidates Consumer Rights on Protection of Personal Information’ Client Alert, December 2010
Bernama.com (2011), ‘New Department To Oversee Implementation Of Malaysian Personal Data Protection Act 2010’, 20 June 2011 at <http://www.bernama.com.my/bernama/v5/newsgeneral.php?id=595355>
Cahiles-Magkilat, B (2011) ‘Lack of legislation on data privacy protection worries investors – JFC‘ Manila Bulletin, June 7, 2011 at <http://www.mb.com.ph/articles/321581/lack-legislation-data-privacy-protection-worries-investors-jfc>
Connolly, C (2008) ‘A new regional approach to privacy in ASEAN’, Galexia website, 2008 at <http://www.galexia.com/public/research/articles/research_articles-art55.html>
Council of Europe (1981) Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, European Treaty Series No. 108; adopted 28th Jan. 1981
D Duncan ‘Personal Data Protection in Thailand’ 20 July 2011, Tilleke & Gibbins website, available at <http://www.mondaq.com/x/139148/Privacy/Personal+Data+Protection+in+Thailand>
EU Directive (1995) Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, adopted 24th Oct. 1995 (Official Journal of the European Communities (O.J.), L 281, 23rd Nov. 1995, p. 31 et seq.)
Greenleaf, G (2011) ‘India attempts data protection by regulations’ Privacy Laws & Business International Report, Issue 110, April 2011
Greenleaf, G (2011a) ‘The Illusion of Personal Data Protection in Indian Law’ (2011) 1 (1): 47-69 International Data Privacy Law, Oxford University Press, available at <http://idpl.oxfordjournals.org/content/1/1/47.full>
Greenleaf, G (2011b) ‘Breach notification and diffused enforcement in Taiwan’s DP Act’ Privacy Laws & Business International Report, Issue 109, 12-13, February, 2011
Greenleaf, G (2011c) ‘Outsourcing and India’s new privacy law: No cause for panic’ Privacy Laws & Business International Report, Issue 111, 16-17, July, 2011
Greenleaf, G (2010) ‘Taiwan revises its Data Protection Act’ 108 Privacy Laws & Business International Newsletter 8-10 (December 2010)
Greenleaf, G (2010a) ‘Octopus, insurers, banks, Commissioner, snared in Hong Kong data sales scandal ’ (2010) 107 Privacy Laws & Business International Newsletter 8-9 (October 2010)
Greenleaf, G (2010b) ‘Country Studies B.2 – AUSTRALIA’ in Korff, D (Ed) Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments’ European Commission D-G Justice, Freedom and Security, May 2010, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/studies/new_privacy_challenges/final_report_country_report_B2_australia.pdf>
Greenleaf, G (2010c) ‘Country Studies B.3 – HONG KONG’ in Korff, D (Ed) Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments’ European Commission D-G Justice, Freedom and Security, May 2010, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/studies/new_privacy_challenges/final_report_country_report_B3_hong_kong.pdf>
Greenleaf, G (2010d) ‘Country Studies B.5 – JAPAN’ in Korff, D (Ed) Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments’ European Commission D-G Justice, Freedom and Security, May 2010, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/studies/new_privacy_challenges/final_report_country_report_B5_japan.pdf>
Greenleaf, G (2010e) 'Australia’s proposed reforms (Pt II): Privacy remedies' (2010) 104 Privacy Laws & Business International Newsletter 10-12, April 2010
Greenleaf, G (2010f) 'Limitations of Malaysia’s data protection Bill' (2010) 104 Privacy Laws & Business International Newsletter 1, 5-7, April 2010
Greenleaf G (2010g) 'Australia's proposed reforms: Unified Privacy Principles' (2010) 103 Privacy Laws & Business International Newsletter, 15-17, February 2010
Greenleaf, G (2009) ‘Twenty-one years of Asia-Pacific data protection’ (2009) Privacy Laws & Business International Newsletter, Issue 100, 21-24
Greenleaf, G (2009a) 'Initial enforcement of Macao's data protection law' (2009) 101 Privacy Laws & Business International Newsletter, 9,27, October 2009
Greenleaf G (2009b) ‘Five years of the APEC Privacy Framework: Failure or promise?’ ‘ (2009) Computer Law & Security Report 25 CLSR 28-43
Greenleaf, G (2008) ‘Enforcement aspects of China’s proposed Personal Information Protection Act’ (Part II) Privacy Laws & Business International Newsletter, Issue 92: 11-14, April 2008
Greenleaf, G (2008a) 'China proposes Personal Information Protection Act' (Part I) Privacy Laws & Business International Newsletter, Issue 91: 1-6, February 2008
Greenleaf, G., Australia’s APEC privacy initiative: the pros and cons of ‘OECD Lite’, Privacy Law & Policy Reporter, 2003, 10(10), p. 1–6; longer version available at <http://www2.austlii.edu.au/~graham/publications/2004/APEC_V8article.html>
Greenleaf G and Bygrave L (2011) ‘Not entirely adequate but far away: Lessons from how Europe sees New Zealand data protection’ Privacy Laws & Business International Report, Issue 111, 7-8, July, 2011
Greenleaf, G and Waters, N (2010) ‘Australian Privacy Principles’ – two steps backwards’ (2010) 106 Privacy Laws & Business International Newsletter 13-15, August 2010
Hsu, A (2011) ‘MOEA initiates private data protection system’ Taiwan Today, 27 May 2011 at <http://taiwantoday.tw/ct.asp?xitem=165720 & CtNode=415>
Hunton & Williams LLP (2011) ‘A Summary of Developments in Personal Information Protection in China since August 2009’, Hunton & Williams website 2011 (no longer available on web)
India, Legislative Department (2011) Draft Privacy Bill 2011 (Third Working Draft, Legislative Department, 19 April 2011), available at <http://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf>
Munir, A and Yasin, S (2010) Personal Data Protection in Malaysia Sweet & Maxwell Asia, 2010
OECD Guidelines (1980) Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data adopted by O.E.C.D. Council on 23rd Sept. 1980 (O.E.C.D. Doc. C(80)58/FINAL)
Park W and Greenleaf G (2011) ‘Korea reforms data protection Act’ Privacy Laws & Business International Report, Issue 109, 20, February, 2011
Parlade, C (2009) ‘Philippines likely to adopt EU-style privacy and DP law’ Privacy Laws & Business International Newsletter, Issue 95, 16-18, October , 2008
Rule J and Greenleaf G (Eds) (2008) Global Privacy Protection: The First Generation, Edward Elgar, Cheltenham, 2008
Singapore (2011) Ministry of Information, Communication and the Arts ‘Consultation Paper: Proposed Consumer Data Protection Regime For Singapore’ September 2011
Shimpo F and Greenleaf G (2011) ‘Japan’s privacy complaints listed’ Privacy Laws & Business International Report, Issue 109, 9-10, 16, February, 2011
Sinta Dewi, (2009) ‘Indonesia’s plans for privacy law’ Privacy Laws & Business International Newsletter, Issue 97, 17, February, 2009
Vietnam (2010) Law on Protection of Consumer’s Rights at <http://vbqppl.moj.gov.vn/vbpq/en/Lists/Vn%20bn%20php%20lut/View_Detail.aspx?ItemID=10489>
Yeo, V (2011) ‘S'pore sets data protection law for 2012’, 16/2/2011 on ZNet website at http://www.zdnetasia.com/spore-sets-data-protection-law-for-2012-62206733.htm
Graham Greenleaf is PL&B Asia Pacific Editor and Professor of Law & Information Systems, UNSW, Australia.