Welcome to our August 2015 Asian data protection bulletin, in which we will outline some note-worthy legal developments in the Asian region, including:
On 1 April 2015 the Office of the Australian Information Commissioner ("OAIC") released revised guidelines on the Australian Privacy Principles ("APPs").
What are the APP Guidelines?
The APP Guidelines, originally released in February 2014, contain detailed information about the operation of the APPs, which form a subset of the Privacy Act 1988 (Cth). They are the Information Commissioner's interpretation of the APPs, and are not legally binding.
What has changed?
The revised APP Guidelines contain additional guidance on:
- when overseas entities will be considered to be carrying on business in Australia; and
- the provision of personal information to an overseas contractor.
When overseas companies are considered to be carrying on business in Australia
The Privacy Act and the APPs will only apply to an entity that has an Australian link. One of the tests to determine whether an entity has an Australian link is whether or not it carries on business in Australia. The OAIC has now indicated that an entity will not necessarily be carrying on a business in Australia only because a purchase order can be placed in Australia (but fulfilled overseas), or the entity's website can be accessed from Australia. The OAIC considers there must be some physical activity in Australia through human instrumentalities. This might include:
- having a place of business in Australia, or conducting business through an individual or entity located in Australia;
- registering a trade mark in Australia;
- fulfilling purchase orders in Australia; or
- offering to supply goods or services to Australia on the entity's website.
Under what circumstances an APP entity may breach the APPs when it provides personal information to an overseas contractor
Where an APP entity (an organisation covered by the Privacy Act) engages an overseas contractor to perform services on its behalf, it may disclose personal information to the contractor, for example by outsourcing its billing systems. The APP entity will then need to comply with APP 8.1, meaning that it will need to enter into a written agreement with the overseas contractor, and it may be responsible for the overseas contractor's mishandling of personal information (unless an exception in APP 8.2 applies).
However, as previously stated in the February 2014 APP Guidelines, sometimes providing personal information to an overseas contractor is only a 'use' rather than a 'disclosure', such as where an APP entity uses offshore cloud storage services. In this case, APP 8 may not apply. In the April 2014 APP Guidelines the OAIC has warned that APP entities should be aware that, even though there may not be a disclosure of personal information to an overseas contractor, any mishandling of personal information which is in the overseas contractor's possession may be a breach by the APP entity because the APP entity is still considered to be the holder of the personal information, and therefore ultimately responsible for it.
How does it affect me?
The updates to the APP Guidelines target some of the uncertainties around offshore businesses with operations in Australia, and also Australian businesses who send personal information offshore.
The guidance in relation to carrying on business in Australia reflects current Australian law, and in limited cases may reduce regulatory compliance for some entities.
For APP entities that provide personal information to an offshore contractor where there is no disclosure, those entities may wish to ensure contractual obligations are also in place with their overseas contractor.
On 29 March 2015, the Office of the Privacy Commissioner for Personal Data ("PCPD") published the Guidance on Closed Circuit Television ("CCTV") Surveillance and Use of Drones (the "Guidance"). This is the first time the PCPD addresses the use of unmanned aircraft systems (commonly known as drones), following the Civil Aviation Department's ("CAD") Operations of Unmanned Aircraft Systems published on the 13 March 2015. This Guidance replaces the earlier CCTV Surveillance Practices published in July 2010, to take account of the new provisions of the Personal Data (Privacy) (Amendment) Ordinance 2012.
The use of drone technology in the military has flown their way into civilian recreational and commercial uses. E-commerce giants such as Amazon and Google sees drones as their next generation delivery option to deliver products to their customer's doorstep. While drones are increasingly common and much affordable for ammeter users to own their own drones, as we see an increasing number of photos and videos taken by drones in social media news feeds.
The under-regulated use of drones in Hong Kong has raised privacy concerns to the residents of the densely populated city, as many drones are equipped with on-board cameras capable of recording images during flight. The new Guidance addresses the use of drones from a data privacy prospective. It targets drones used in all purposes (including both recreational or commercial uses) with privacy intrusive features, such as camera drones that can record or direct live footage to its operator. The Guidance provides that the guidelines applicable to CCTV will also apply to drones and provides suggestions on responsible use for drone users to follow, such as flight path planning, processing recordings and notifying others who may be affected by the drones (by using flashlights or putting up banners indicating the drone operator).
As the commercial and civilian use of drones becomes more popular, we expect regulations on the use of drones will intensify in the coming future.
On 8 May 2015, several measures were announced to assist companies to understand their obligations under the Singapore Personal Data Protection Act ("PDPA"), which has been in force since 2 July 2014. The new measures are intended to benefit, in particular, small and medium-sized enterprises ("SMEs").
Legal Advice Scheme
The Personal Data Protection Commission ("PDPC"), which acts as the authority for monitoring compliance of and enforcing the PDPA, will collaborate with the Law Society of Singapore to establish a legal advice scheme starting from 1 June 2015. The new scheme will provide SMEs with basic legal advice on PDPS compliance requirements at a preferential fixed rate.
Increase in DNC Credits
From 1 June 2015, the PDPC will double the credits for free checking of the Do Not Call ("DNC") registry from the current 500 to 1,000. The PDPC estimates that with this new measure in place, over 80% of organisations will not need to pay to check contact numbers against the DNC registry.
New Templates and Resources
The PDPC, in collaboration with the Cyber Security Agency of Singapore ("CSA"), has released the following resources:
- a brochure with information on electronic personal data protection and recommendations on good information and communications technology practices to implement; and
- two guides which provide information on how organisations can protect personal data in electronic medium, as well as information on how organisations should manage data breaches.
In addition, the PDPC has also published a guide containing sample clauses which an organisation may use to obtain an individual’s consent to collect, use or disclose his personal data for particular purposes, as well as for an individual to withdraw consent or otherwise indicate that he does not consent.
New Advisory Guidelines
Lastly, the PDPC also issued a new set of advisory guidelines which provide greater clarity on whether an organisation may require an individual to give his consent for marketing purposes. The guidelines focus on the application and interpretation of section 14(2)(a) of the PDPA and section 46(1) of the Do Not Call Provisions, which state that an organisation shall not, as a condition of providing a product or service, require an individual to give consent beyond what is reasonable to provide the product or service.
All of the above guidelines, templates and resources are available on the PDPC's website.
(Contribution from K&K Advocates)
As opposed to the omnibus regulations seen in Europe and several Asian countries such as Singapore, Hong Kong and Malaysia, there are currently no laws or regulations in Indonesia that specifically regulate the entire field of privacy and data protection.
In absence of such general legislation, the two most important legislative pieces are Law No. 11 of 2008 regarding Information and Electronic Transactions (“IET Law”) and Government Regulation No. 82 of 2012 regarding the Provision of Electronic Systems and Transactions (“Regulation 82”). Both pieces of legislation contain specific provisions in relation to privacy rights including data collection.
In addition to that, there are a substantial number of specific rules on data protection scattered through Indonesian laws and regulations, from the 1945 Constitution to specific sectoral laws for the telecommunications-, financial- and health sectors.
The IET Law aims to provide for a legal framework related to electronic services and transactions. The law includes rules on domain names, online contracting and specific rules on data protection. With respect to the latter, the IET Law requires that all uses of electronic information which contains personal data must be conducted with prior consent from the individual to which the personal data relates. This consent obligation applies to both companies as well as individuals.
Violation of these rules may be sanctioned through criminal proceedings, and includes imprisonment and fines - both of which may also apply to companies and their directors. With regard to personal data, the law states that any unlawful access to other people’ computers or electronic information can be sentenced with up to a maximum imprisonment of 6 years and/or maximum fines of IDR 600 million.
Though there have been a number of cases with regard to violations of the IET law, these violations more relate to defamation issues committed by individuals rather than the data protection stipulations.
Regulation 82 is a further implementing regulation of the IET law and stipulates a number of specific requirements with which various online actors must comply. Most notorious are the obligations for electronic service providers that provide a public service. These service providers need to register with the Minister of Communication and Informatics, need to establish a data centre and disaster recovery centre in Indonesia and in certain cases need to share developed source code with government agencies. In absence of much needed clarification for such burdensome requirements, companies are struggling to find out whether they are an "electronic service provider" and whether the provide a "public service" as stipulated under Regulation 82.
Regulation 82 provides a list of administrative sanctions for non-compliance which include written warnings, administrative fines, temporary suspension of business and expulsion from the register (which entails a de facto permanent suspension of business). These sanctions however have not come into force and require yet another implementing legislative piece.
The rules themselves however are already in full effect. Therefore, while waiting on the issuance of the implementing regulation, it is advisable for companies to acknowledge Regulation 82 and seek advice on how Regulation 82 will potentially affect their business when it is fully enforced.
We have been informed through various sources that the Ministry of Communication and Informatics is currently in the process of finalising a draft law which may introduce general rules regulating the use of personal data. The draft law is planned to be submitted to the Indonesian parliament within the course of next year.