University of New South Wales Faculty of Law Research Series
Last Updated: 23 August 2012
Asia-Pacific data privacy laws: Legislative progress mid-2012
Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales
8 July 2012
This paper was published in Privacy Laws & Business International Report, Issue 118: 13-15, July 2012. This paper may also be referenced as  UNSWLRS 36.
Following a year of rapid developments in 2011, the pace of change in the Asia-Pacific data privacy laws has slowed, with most developments of new and amended laws still in the ‘pending’ category as at 30 June 2012. The exception are Hong Kong which has just enacted substantial reforms, and the Philippines where both houses of the legislature have now passed a ‘reconciled’ version of the Data Privacy Act of 2011 which now awaits Presidential approval. This article surveys the status of amendments to existing laws, and enactment of new law across the region.
Hong Kong’s Legislative Council (LegCo) has on 27 June 2012, after a year’s deliberation, passed the government Bill to amend the Personal Data (Privacy) Ordinance, the most substantial amendments to the PDPO in fifteen years. The Government’s proposed amendments to the Bill <http://www.legco.gov.hk/reporter/english/legco_bill201206291-e.pdf> , moved by the Secretary for Constitutional and Mainland Affairs, were adopted. The private member's amendment <http://www.legco.gov.hk/yr11-12/english/counmtg/papers/cm0606cb3-850-e.pdf> , moved by Mr James To, were not adopted. The amendments to the Bill are largely of a technical nature, except that the whole of Part VIA concerning use of personal data in direct marketing has been replaced by redrafted sections. The amended Bill will be analysed in a subsequent issue. The original Bill is discussed in PLBIR Issue 113, pgs 15-19. The Personal Data (Privacy) (Amendment) Ordinance 2012 is in the Gazette at <http://www.gld.gov.hk/cgi-bin/gld/egazette/index.cgi?lang=e&agree=0
The Hong Kong Privacy Commissioner has welcomed the passage of the Bill, although noting it had not included all amendments recommended by his office. He welcomed in particular that his office ‘will be empowered to provide legal assistance in meritorious cases to aggrieved data subjects to seek compensation from the data user for damage suffered’ because of contraventions of the Ordinance’, and the ‘tighter regulation of corporate data users on the use of customers’ personal data in direct marketing and the transfer/sale of the data to third parties’.
Taiwan’s Personal Information Protection Act of 2010 (PIPA) is not yet in force. The Ministry of Justice announced in June 2012 that the Act would become operative in October, with the exceptions of Article 6 (sensitive personal information) and 54 (notification). These controversial articles will be held back so that they can be amended. The Ministry has drafted a bill to amend the PIPA, and it is currently being reviewed by the Executive Yuan.
In Macau, although its legislation has been fully operative since 2006, its Office for Personal Data Protection (OPDP), has not been formally established by legislation and is still a ‘projecto’. As a result it has not been able to join those international data protection bodies which have acceditation standards requiring a DPA independent from government. Separate legislation to define the functioning and structure of the office is in draft, and it is intended that it will be submitted to the Legislative Assembly by the end of 2012 if the legislative schedule permits. The authority has recently added considerably more English cases notes to its website <http://www.gpdp.gov.mo/en/> .
The Peoples Republic of China deputy director of the Ministry of Public Security’s criminal investigation departmen, Liao Jinrong, said in an interview with China Daily that further criminal laws to protect privacy were under consideration. The ministry is negotiating with the Supreme People's Procuratorate and Supreme People's Court to push legislation for the protection of personal data, he said. Mr Liao stated that, ‘although the existing Criminal Law includes crimes of illegaly obtaining, offering, or selling of personal data, China lacks a specific regulation with a clear definition of such crimes, making it difficult to obtain convictions’.
ASEAN region (South-East Asia)
Malaysia’s Personal Data Protection Act of 2010 (PDPA) has not yet been brought into force. Despite a comment in February 2012 by Malaysia’s Information Communications and Culture Minister Datuk Seri Dr Rais Yatim that the Act may be brought into force as early as June 2012 (and some commentators taking this as fact), it is taking longer than that. The current position is that the Director General of the Personal Data Protection Department (PDPP) has been appointed and is based in Putrajaya. The Attorney General's Chambers has substantially completed drafting the guidelines/regulations undet the PDPA, which will then be sent to the PDPP for review. The final draft will be discussed with the Minister prior to being forwarded to the Prime Minister's Department, which will then notify the Parliament of the proposed gazetted date of the regulation, inclduing the commencement date of the legislation. An optimistic view of this process could see it completed by September, but is quite likely to take longer, given that a general election is expected in September/October. If a Data Protection Commissioner is to be established, as provided for in the Act, he or she would be appointed at that time. Whether this will occur has still not been made public, and perhaps is most likely to occur in the context of post-election appointments. The Act would still have to come into force at some date after these matters were completed, so perhaps ‘in force by the end of 2012’ is more realistic optimism.
The Philippines Senate passed the Data Privacy Act of 2011 on 20 March 2012, but the Senate Bill differed from House Bill 1554 passed in 2011, requring a bicameral conference committee to ‘reconcile’ the versions of the two houses, so that the reconciled version could then be signed by the President after passage by both Houses. A bicameral committee did in fact clear the Data Privacy Act just before the Philippines Congress ended its formal session in mid-June 2012, but only after some contentious provisions (mainly concerning the media) were revised. According to press reports, in early June the House of Representatives and the Senate then ratified the bi-cameral conference committee report which reconciled House Bill 4115 and Senate Bill 2965 and forwarded the proposed act to President Benigno S. Aquino III to sign into law. This had not yet occurred by the end of June 2012. According to the Business Processing Association of the Philippines (BPAP), the Act will benefit the Philippines IT-BPO industry, which it claims had US $11 billion in revenue in 2012 and employed 640,000 direct employees.
In 2011 India implemented a data protection code by regulations to an existing Act, then tried to repeal part of its effected by a a press release (see Issue 110, April 2011 and Issue 114, December 2011). Separately from these developments, a comprehensive Right to Privacy Bill has been under development within the Indian government, and a number of version have become unofficially available (one was analysed in Issue 112, 21-24, September 2011), although the Bill has not yet gone to the legislature. A high level 'Group of experts to deliberate on Privacy issues' was established on 26 December 2011 by the very influential Planning Department, with broad terms of reference to study privacy laws in other countries, analyse the impact of current government programmes on privacy, and to make 'specific suggestions' 'for incorporation in the proposed draft Bill on Privacy'. The Group of Experts is under the chairmanship of Justice A P Shah, former Chief Justice of the Delhi High Court, and includes senior representatives from government, industry and civil society. The membership of the 'Group of experts to deliberate on Privacy issues', and their terms of reference is at <http://cis-india.org/news/internet-governance/constitution-of-group-of-experts.pdf> . They were to report by the end of March 2012 but that was then delayed to the end of June 2012. A member of the expert group has confirmed that they expect to complete their report in August or September. This official committee is the most public step India has taken toward development of a comprehensive privacy law, and its report will be a matter of considerable importance.
The Union Territory of Chandigarh, a ‘city state’, has become the first India State or Territory to implement a data privacy law. The administration of the Chandigarh Union Territory sought comments from the police before communicating its consent to the Ministry of Home Affairs on the Right to Privacy Bill, 2011. According to press reports, the new law will bar collection of personal information by any agency by unlawful means., as well as using or disclosing information on a person's private affairs. Spying on or following someone in a manner likely to harass him or her or photographing someone while he or she is in their private premises is also covered.
The Australian Government’s Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (discussed in an accompanying article) has been introduced into Parliament, and referred to Committes of both the House (to report by 21 September) and the Senate (to report by 14 August). Both Committees are now receiving submissions. Observers estimate that it is then likely to be October before the Bill is debated in the House of Representatives, and November before there is a Senate debate. An optimistic view is that the Bill might be passed and receive Royal Assent before Parliament rises for Christmas. If so, the credit reporting provisions of the Bill, the aspect that is of most interest to the business community, would commence nine months after assent, or around September 2013. However, the Australian Parliament is on a political knife-edge at present, and it is possible, if unlikely, that an election could be called before the end of the year.
In New Zealand, there is no data protection reform legislation announced as yet, but Privacy Commissioner Marie Shroff has welcomed the government's commitment to update the Privacy Act based on recommendations in the Law Commission’s report, noting that ‘[t]he Government has already made progress on information sharing to assist government agencies, and we now need the second leg of the double.’ The Commissioner describes key recommendations she supports as:
The Ministry of Justice is to report back to the government in September 2012 with specific policy proposals concerning the Law Reform Commission recommendations, and other proposed reforms. Justice Minister Judith Collins has stated that a Bill will be introduced in early 2013.
Asia Pacific Privacy Authorities (APPA)
The 37th Asia Pacific Privacy Authorities (APPA) forum was hosted by the Office of the Privacy Commissioner for Personal Data, Hong Kong in Hong Kong on 14–15 June 2012. It was attended by representatives ten data protection authorities, including the USA’s FTC, the Mexican Commissioner’s office and both Korean authorites, the new Personal Information Protection Commission and the Korea Internet and Security Agency. Among the observers attending were Macau’s OPDP and Japan’s Office of Personal Data Protection (from its Consumer Affairs Agency), because they do not meet the accreditation requirements. APPA, which originated as a meeting of Australian and New Zealand agencies, is therefore evolving into something close to a meeting of data protection authorities from APEC ‘economies’. Taiwan (or ‘Chinese Taipei’ in APEC-speak) is still missing because it does not have any identifiable DPA.
The forum’s communique noted that Hong Kong’s new (then proposed) regulatory requirements on direct marketing activities ‘are amongst the most stringent. Members noted the growing trend of conferring on individuals a right to trace the source of personal data from direct marketers and that Hong Kong’s proposed regulatory control will provide a good reference for other APPA members in their future review of privacy protection’. The communique also noted that the legal assistance scheme to assist individuals to take privacy actions in the courts, now enacted in Hong Kong ‘is unique amongst APPA members,’ but that other jurisdictions have other methods by which damages are awarded in privacy complaints.
Assistance with this update from the following experts is gratefully acknowledged, but responsibility for views expressed in the article remains with the author: for Malaysia by Noriswadi Ismail, Managing Consultant, Quotient Consulting <http://qconsultant.com; for Hong Kong by Robin McLeish; for Taiwan by Hui-ling Chen of Winkler Partners, Taipei.
37th APPA Forum – Communiqué <http://www.pcpd.org.hk/english/infocentre/press_20120621.html>
Abadilla, EV ‘BPAP Expects President Aquino To Sign Data Privacy Act Soon’, 24 June 2012 <http://www.mb.com.ph/articles/363256/bpap-expects-president-aquino-to-sign-data-privacy-act-soon>
Correspondent ‘Chandigarh okays Right to Privacy Bill’ Dailybhaskar, <http://daily.bhaskar.com/article/CHD-chandigarh-okays-right-to-privacy-bill-3435082.html>
Digital News Asia ‘Philippines okays Data Privacy Act’ June 19, 2012, <http://www.digitalnewsasia.com/node/333>
Mohan, V ‘Chandigarh administration gives consent to Right to Privacy Bill’, TNN Jun 19, 2012, 05.03PM IST <http://articles.timesofindia.indiatimes.com/2012-06-19/chandigarh/32316511_1_privacy-bill-consent-chandigarh-administration>
New Zealand Government Response to the Law Commission Report on the Review of the Privacy Act 1993, available from <http://www.justice.gov.nz>
New Zealand Privacy Commissoner Media Release ‘Update the Privacy Act to strengthen protections for people and help business, says Privacy Commissioner’, 27 March 2012, <http://privacy.org.nz/update-the-privacy-act-to-strengthen-protections-for-people-and-help-business-says-privacy-commissioner-media-release>
Richards M, Crombie G and Li W ‘A new frontier: A review of the New
Zealand Privacy Act 1993’,  Privacy Law Bulletin Vol 8 No 6
Yan, Z ‘Personal data crimes set to be defined’ China Daily 4 July 2012, http://www.chinadaily.com.cn/china/2012-07/04/content_15546503.htm