As we discussed in the previous installment of Data Privacy and Regulatory Compliance In- Depth, compliance with data privacy regulations is critical to the modern enterprise but often made complicated by the globalization of the business world and the enterprise’s increasing adoption of cloud computing, in particular the services of major, multinational CSPs like Salesforce, Microsoft and Google. To effectively safeguard data and maintain regulatory compliance wherever your data is stored, whether that be on domestic soil or on the opposite side of the globe, you’ll have to understand the distinctions between different countries’ data privacy laws so that you can evaluate where your current data privacy strategies and cloud computing deployments stand. Today, we’ll be looking at East Asia, where nations like China, Japan, South Korea, and Taiwan produce innovative technologies and manufacture large volumes of consumer goods, often for North American and European corporations.
China Cloud Compliance & Data Privacy
When it comes to data privacy and security laws, China’s are some of the most concerning for the privacy-conscious enterprise. China imposes only limited restrictions to ensure data privacy and lacks a comprehensive data protection law. Personal data protection provisions are scattered throughout a number of laws and regulations with varying interpretations, and the People’s Republic of China (PRC) has no national data protection authority. Additionally, some laws, such as the Consumer Rights Law, do not define personal data or personal information. The PRC also does not require data breaches or losses to be disclosed to any authority, and breach notifications are recommended, not mandated.
Japan Cloud Compliance & Data Privacy
In contrast to the PRC, Japan imposes strong restrictions on the use and transfer of private data. The Act on the Protection of Personal Information (APPI) is the main data privacy law, and several government ministries have also issued guidelines around the APPI that are commonly followed by Japanese business operators. The APPI lays out specific steps that must be taken to secure personal data.
When it comes to breach notifications, the Japan Financial Services Agency (JFSA) APPI guidelines require business operators governed by the JFSA to immediately produce a report when personal information is exposed. Business operators must promptly publicize details of the leak and the measures taken to prevent future leaks. Affected individuals must also be notified.
South Korea Cloud Compliance & Data Privacy
Like Japan, South Korea has enacted strong restrictions to protect sensitive personal data. The Personal Information Protection Act (PIPA) became effective on September 30, 2011 and is complemented by sector-specific legislation. Notable among the sector-specific legislation are the Use and Protection of Credit Information Act (UPCIA), which governs data privacy as it relates to personal credit information, and the Act on Real Name Financial Transactions and Guarantee of Secrecy (ARNFTGS), which aims to protect data obtained by organizations in the financial sector. South Korean data privacy laws lay out specific measures that data handlers and IT service providers must take to protect private data, including installing and maintaining access control devices and deploying data security technologies such as encryption. PIPA also mandates the immediate notification of persons whose data has been exposed, with additional government notification should the number of affected persons exceed 10,000.
Taiwan Cloud Compliance & Data Privacy
Like the PRC, Taiwan imposes only limited restrictions on data handling and transfer. Formerly known as the Computer Processed Personal Data Protection Law (CPPL), the Personal Data Protection Law (PDPL) became effective on October 1, 2012, but some of its provisions, including those related to obligatory breach notifications for personal data collected before the enactment of the PDPL, remain ineffective. Further review and amendment of the PDPL is ongoing, and at present, there is no national data protection authority. Instead, the various ministries and local and county governments serve as authorities.
For organizations looking to do business in East Asia or to utilize third party services headquartered in East Asia, careful attention to relevant data privacy and protection laws will be necessary, especially where the laxity or lack of clarity in those laws may allow for suboptimal data security practices. To learn more about data privacy regulations around the world, download our ebook, Global Guide to Data Protection Laws, today.