Article

Data protection risks in a data driven economy: Tougher enforcement of data privacy laws in the Asia-Pacific region

8 March 2023 | Applicable law: Australia, Hong Kong, Indonesia, Japan, Singapore | 7 minute read

The data privacy landscape in the Asia-Pacific region (APAC) has transformed significantly in the last two years. While it still remains a patchwork of different privacy regimes, there is an increasing convergence taken by the respective authorities towards tougher enforcement to combat the ever-evolving risks of cyber-attacks and threats.   

The following paragraphs explores developments in this area within Australia, Singapore, Indonesia, Japan, and Hong Kong.

Australia

Australia saw a spate of high-profile data breaches in 2022, such as the cyberattacks on Optus and Medibank, which saw nearly 12 million customers' personal data leaked and exposed by hackers within the span of just two months. 

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022[1] was passed in November last year, introducing, amongst other measures, whopping financial penalties for serious or repeated breaches by companies. 

Described as being one of the highest penalties in the world for data contraventions to date, maximum penalties imposed on companies can now amount to the greater of[2] (a) AUD50 million; (b) if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtains – 3 times the value of that benefit; or, (c) if the benefit cannot be determined, 30% of the company's 'adjusted turnover' during the 'breach turnover period' for the contravention. 

Singapore 

  1. Extension of fixed sum penalties to 10% of an organisation's annual turnover

With effect from 1 October 2022, organisations may now be fined up to SGD1 million or 10% of the organisation's annual turnover in Singapore, whichever is higher, for violations of their data protection obligations under the Personal Data Protection Act ("PDPA"). This was extended from the previously fixed cap of S$1 million. 

In ascertaining the amount of financial penalty to be imposed, relevant factors considered by the Personal Data Protection Commission include the number of affected individuals, types of personal data compromised, timeframe of the incident, and whether the organisation took any effort to mitigate the consequences of their breach. 

  1. Recognition of emotional distress as actionable head of damage 

In the landmark decision of Reed v Bellingham [2022] SGCA 60, the Singapore Court of Appeal ("SGCA") issued guidance on the right of individuals to commence private actions against organisations for data protection contraventions. 

Any individual who has suffered 'loss or damage' as a result of an organisation's breach of certain PDPA obligations may commence private claims against the violating organization, with possible remedies including: (a) an injunction or a declaration; (b) damages; and/or (c) such other relief as the court thinks fit. 

Considering the challenges with quantifying the value of personal data, the SGCA adopted the wider interpretation of the statute and held that emotional distress resulting from an organisation's breach may constitute sufficient "loss or damage" required to commence a private action under the PDPA. 

Concurrently recognizing the need to keep compliance costs manageable for organisations, several control mechanisms were raised to keep the right of private action within reasonable bounds. These include the clarification that the loss or damage must have been suffered directly as a result of the PDPA contraventions, and that mere loss of control of one's personal data is not an actionable loss or damage. 

Indonesia 

Indonesia's long-awaited Personal Data Protection Law ("PDPL") finally came into force on 17 October 2022, with a transition period of 2 years at the latest for organisations to comply. If a company wishes to process personal data, it will be necessary to obtain explicit written consent from the owner of the personal data.  

The PDPL establishes a range of criminal and administrative fines, depending on the type and extent of the contravention. Criminal sanctions include: imprisonment of up to 6 (six) years; penalties of up to IDR 6 billion (around USD 400 thousand), seizure of assets or profits, freezing of the company's assets, permanent prohibitions from carrying on businesses or business activities, revocation of business licenses and/or dissolution of the company, amongst others. Administrative fines imposed on businesses can be a maximum of up to 2% of the company's annual revenue.[3]

More detailed regulations are anticipated to be issued within the year or so.

Japan 

As part of significant amendments to Act on Protection of Personal Information of Japan ("APPI") in 2020, the maximum penalty amount which may be imposed for contravening the APPI was dramatically increased from JPY 0.3 million (around USD 3,000) to JPY 100 million (around USD1 million). The penalty may be imposed if a business violates an order issued by the Personal Information Protection Commission to cure APPI violations.  The increased penalty has been applicable since December 2020, while amendments to the APPI in 2020 went in force in April 2022.  

A data subject whose personal data was affected may also bring a lawsuit against the business.   In fact, there have been cases where businesses were held liable for damages to the data subject caused by data breaches.  In those cases, the courts took into account, among other things, categories of personal data subject to the data breach and their sensitivity, whether any data was exploited, and what actions the business took after the breach.  

Hong Kong 

The Personal Data (Privacy) Ordinance ("PDPO") enshrines 6 data protection principles.   If any data protection principle is breached, a complaint may be filed with the Office of Privacy Commissioner for Personal Data (the "Commissioner").  Contravention of any enforcement notice issued by the Commissioner is an offence which may result in a maximum fine of HKD50,000 and imprisonment for 2 years, with a daily penalty of HKD1,000.  Subsequent convictions can result in a maximum fine of HKD100,000 and imprisonment of 2 years, with a daily penalty of HKD2,000.

While the limit on penalties have not been raised, the PDPO underwent recent amendments to introduce new offences and the penalties imposed under these new offences are much more severe.  For example, fines of up to HKD1 million and imprisonment of up to 5 years could apply if a data user fails to comply with a data subject's request to cease the transfer of data for use in direct marketing, or if the data of the data subject is disclosed without consent, causing harm to the data subject or their family members.

In addition, common law principles continue to apply and supplement the protection offered under the PDPO.  In a recent defamation case where photos of the plaintiff have been misused, the plaintiff raised a separate claim based on breach of relevant data protection principles and was awarded damages for injury to feelings of the plaintiff based on relevant principles in discrimination cases.

Lessons drawn 

With increased penalties and enforcement, companies within the region can no longer afford to overlook data protection as the fines and liability towards individual claimants may potentially be crippling. It is imperative for companies to have in place a robust and comprehensive data protection framework, especially in response to potential data breaches. To ensure that they are prepared, organisations can consider the following: 

  1. regularly review and update data protection policies for compliance with the latest regulations;
  2. have in place robust contractual provisions with vendors to set out their responsibilities in relation to the personal data they process, and regularly monitor their compliance with these provisions;
  3. adopting data protection by design in systems and processes;
  4. develop and implement procedures for responding to data breaches;
  5. regularly train employees on these policies and procedures; and
  6. appoint a Data Protection Officer (DPO) who is empowered to ensure that policies and procedures are effectively implemented. 

[2] Amendment No. 14, AU Bill.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Share

Related experience

As a full-service law firm, we are able to provide advice and information about a wide range of other issues. Here are some related areas.

Join the club

We have lots more news and information that you'll find informative and useful. Let us know what you're interested in and we'll keep you up to date on the issues that matter to you.