Skip to content

Navigating GDPR and data regulation in Asia

Vivienne Artz
Vivienne Artz
Chief Privacy Officer

GDPR in Europe has led to a heightened focus on the fragmented state of data regulation in Asia Pacific. Faced with different data privacy and cyber security rules, can organizations ensure the continued free flow of data in order to #FightFinancialCrime?


  1. Data regulation in Asia is fragmented, with local privacy and cyber security rules often in conflict with requirements to comply with AML, anti-bribery and corruption, as well as modern slavery laws.
  2. The free flow of data is key for public-private information-sharing partnerships to function as effective tools to fight financial crime.
  3. The rapidly shifting landscape for data regulation in Asia is addressed in the industry report produced from our recent Pan Asian Regulatory Summit.

Europe’s General Data Protection Regulation (GDPR), which came into force in May 2018, prompted a seismic shift in how companies think about personal data.

The higher threshold for data privacy attracted the attention of corporations globally, given that any entity with a business in the European Union (EU) has to comply.

However, this has meant that few companies have been paying attention to the rapidly shifting landscape for data regulation in Asia, an issue that was discussed in depth at our 2018 Pan Asian Regulatory Summit.

GDPR’s impact on data regulation in Asia

In Asia Pacific, only New Zealand has earned what the EU calls GDPR adequacy – offering sufficient levels of data protection through its domestic legislation and international commitments.

Japan is set to achieve that status by the end of 2018, and the EU has opened talks with South Korea on the topic as well.

GDPR has also served as a rallying call for many Asian countries to assess their own data regulation frameworks, and the region’s varying social, economic and political backdrops have given rise to a complex tapestry of legislations, both already enacted and in draft form.

While European standards often meet or exceed individual country requirements in Asia Pacific, companies still need to get to grips with the most recent developments in the region’s data privacy and cyber security regimes, and shouldn’t assume they will find common ground with GDPR.

To cite just one example, GDPR stipulates that any data breach should be reported within 72 hours, while in Australia companies have 30 days to disclose.Navigating GDPR and data regulation in Asia

A fragmented landscape for data regulation in Asia

  • South Korea has long had one of the toughest stances on data privacy in the region. Severe penalties for data protection breaches include paying punitive damages, forfeiting profits, and holding senior executives of a company personally accountable. South Korea has strict rules on the cross-border sharing of data – a prohibited data transfer can lead to a fine of up to 3 percent of revenue. In 2016, Seoul rejected a request by Google to use mapping data due to security concerns.
  • China partially implemented a new cyber security law last year that required personal information and other important data to be stored locally within China. Of key concern to the international business community is the vague definition of the type of data that must be kept on servers within China, but a fleshed-out version of the regulation is expected to take effect at the beginning of 2019. It’s clear that China is taking data privacy seriously for its increasingly digital-savvy consumers. In January 2018, Ant Financial, Alibaba’s financial arm, came under fire after automatically enrolling users in a credit scoring affiliate.
  • India‘s Personal Data Protection Bill, which is making its way through parliament, aims to enshrine informed individual consent as the basis for the use of personal data. However, the bill has elicited concerns by both tech giants and other companies that will be required to physically host data in India under the localization provisions in the bill.
  • Singapore adopted a new Cybersecurity Bill in February 2018, and the outcome of a revision of its existing data privacy laws is expected next year, which could include a mandatory breach notification scheme.
  • Elsewhere in Southeast Asia, Vietnam and Indonesia are also planning to enact new privacy protections in the coming years.

Cross-border privacy rules

While some had hoped that GDPR would act as a global standard for data protection, the prospect of a binding and internationally coordinated approach to the issue appears slim.

In Asia Pacific, the APEC Cross-Border Privacy Rules (CBPR) System has provided a blueprint for a common regional approach.

It’s a voluntary scheme that economies and companies in the region can sign up to, although only a handful of countries have done so far, including the U.S., Mexico, Japan, Canada, Korea and Singapore, while Australia, Taiwan and the Philippines are working towards joining.

Critics say CBPR is less stringent than many existing national data protection laws, and only the U.S. and Japan have appointed accountability agents to certify businesses as CBPR-compliant.

As a non-binding agreement, it also has no enforcement mechanism, unlike GDPR, which stipulates hefty penalties if obligations are not met.

Navigating GDPR and data regulation in Asia

Conflicting regulatory regimes

Besides grappling with a lack of international standards, companies must also come to terms with overlapping, and at times, contradictory regulations within a single jurisdiction.

Consent, for instance, is the cornerstone of modern privacy regimes, but there are situations where consent may not be possible or suitable, and in fact detrimental to other policy goals.

Anti-money laundering (AML) legislation typically requires that financial institutions screen new customers to mitigate financial crime risks, and the prospective clients must provide their personal details for the screening to take place.

However, if a privacy law does not have a specific provision that covers this particular type of legitimate interest processing, it creates a challenge for organizations to comply with AML, anti-bribery and corruption, as well as modern slavery laws.

Restrictions on the sharing of personal data have also become part of bilateral trade negotiations, most notably in the new NAFTA agreement, which stipulated that rules requiring data to be stored locally would be prohibited in order not to impede the free flow of data for business purposes.

Such efforts mirror the result of an audience poll at the Pan Asian Regulatory Summit, which found that cross-border data flows are considered the most significant issue that needs to be addressed in terms of future data regulation in Asia.

However, given that the U.S. has pulled out of the Trans-Pacific Partnership, the influence of NAFTA on how cross-border data transfer is managed in Asia will be limited.

Watch: What regulatory change will have the biggest impact on financial markets in Asia?

Financial information-sharing partnerships

While government-to-government negotiations have sought to utilize trade agreements to ensure the free flow of data into the future, there are also efforts to create public-private partnerships that help mitigate existing gaps in the system.

In the last few years, the number of Financial Information-Sharing Partnerships (FISPs) has jumped from a handful to over 20 globally. These represent a new approach to understanding and reporting financial crime threats, and have enabled financial institutions and public sector agencies, including the police force, customs and financial authorities, to more effectively identify threats.

FISPs have led to direct benefits, including more effective reporting, as well as actual arrests and the freezing of assets.

With many companies caught out unprepared by GDPR, it’s prudent they seek professional advice on Asia’s fragmented data regulatory regimes as more and more local differences emerge.

For more information on the topics discussed at the 2018 Pan Asia Regulatory Summit, download our post-event report