Data Privacy and Transfer in Investigations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The complexity and variety of data privacy and data protection regimes in the Asia-Pacific region, together with the development of new regimes, have made conducting investigations in the region increasingly challenging. These regimes may impose onerous restrictions on a company's ability to collect, transfer and disclose personal information, all of which are necessary to conduct internal investigations, to comply with subpoenas or requests for information from authorities, or where companies wish to voluntarily disclose personal information to law enforcement agencies to receive more lenient treatment. In particular, the US Department of Justice (DOJ), while acknowledging the complications companies face in these circumstances, views attempts by companies to resist disclosure of information on the basis of compliance with non-US data privacy laws with suspicion and places the burden on the company to show that the data privacy law in question prohibits disclosure.1
Bearing this context in mind, it is important that companies understand the requirements of data privacy and data protection regimes in the Asia-Pacific region.
Data privacy issues in the context of an investigation
Most jurisdictions in the Asia-Pacific region impose severe penalties (both civil and criminal) for violations of data privacy laws and regulations. As such, adherence to the applicable rules is critical at all relevant stages of an investigation, which are as follows.
Implementation of employment agreements and company data privacy policies
Companies must ensure that the routine collection, storage and use of employees' and customers' personal data comply with applicable data privacy laws and regulations. As discussed below, most jurisdictions require some form of notice and consent, and in the employment context, a company's ability to collect and use personal data will largely be prescribed by an employment agreement. Depending on local law and practice, this agreement may incorporate company policies on acceptable use of information technology resources, including the creation of personal data and the company's right to collect and use it. It is important that companies consider regularly reviewing and updating their employment agreements and company policies to keep up with legal and regulatory developments.
Companies should also consider company policies aimed to address the modes of communication employees use to conduct business. Many employees in the Asia-Pacific region use instant messaging applications such as WhatsApp, WeChat or Line to conduct business, which sometimes leads to the commingling of work-related and personal information. Some companies' IT-use policies do not address the use of these platforms; others strictly prohibit their use for business purposes. It is important that companies clearly delineate how personal devices may be used for company business and to what extent, if any, company-owned devices can be used for personal matters. This is for two overarching reasons: (1) from a data privacy compliance perspective, the intermixing of personal and work-related information complicates the matter of extracting work-related information when it is needed for an investigation; and (2) law enforcement agencies, in particular the DOJ in the US Foreign Corrupt Practices Act (FCPA) context, strongly encourage companies to prohibit 'the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications'.2
Collection of personal information
Personal information gathered during data collection or through interviews must comply with provisions regarding, for example, obtaining the individual's consent to the collection and giving reasonable notice to the individual that his or her data is being collected.
Retention of personal data once it has been collected
Companies need to ensure that any personal data is not kept for longer than the prescribed time limit under law. This duty is sometimes complicated where routine deletion or non-retention of data may hamper an investigation or conflict with regulations for preserving data in other jurisdictions. This issue frequently arises in FCPA investigations, where the DOJ sometimes views citing adherence to data privacy laws as an excuse for not disclosing information with scepticism.
Cross-border transfer of data
Even where personal data does not leave a company's possession or control, if the company transfers the data across an international border, that transfer may trigger provisions under data privacy laws that regulate whether and how that information can be transferred. For example, some jurisdictions, such as China and Taiwan, impose restrictions on cross-border transfers of certain categories of data for protectionist reasons. In the cross-border investigations context, data may need to be exported for review and analysis by legal and technical experts (for example, for document review or computer forensics purposes), and eventually for production to law enforcement authorities.
Disclosure of personal data to public authorities
Many jurisdictions provide certain exceptions to data privacy and data protection requirements where companies are requested or ordered to disclose personal information in connection with investigations by authorities, or where companies voluntarily disclose information in order to cooperate with law enforcement. However, even in the above circumstances there may be restrictions on disclosure. Some countries require a disclosure in such circumstances to be limited to only what is necessary to disclose. In other cases, as noted above, there may be broad restrictions on cross-border transfers of certain categories of information. The United States has recognised the possible tension between requests or orders for information by US authorities and laws in other countries that may prevent disclosure of that information. Under the CLOUD Act (discussed in further detail below), a US digital service provider may resist disclosure of data to US authorities, even when served with orders or subpoenas, if the service provider reasonably believes: (1) that the target of the request is not a US person and does not reside in the United States; and (2) the required disclosure creates a material risk that the service provider would violate the laws of another country with which the US government has an executive agreement under the CLOUD Act.
Appreciating how data privacy and data protection issues may arise under various countries' laws at different stages of an investigation will allow companies to appropriately address such issues, even in complex multi-jurisdictional investigations, and to avoid potential violations that may interfere with the conduct of an investigation or result in severe penalties.
Data privacy regimes in the Asia-Pacific region
Core principles of data protection
Generally, laws of the countries in Asia-Pacific with established data privacy and data protection regimes require that individuals be informed of what personal information is collected, why it is collected and with whom it is shared. Although the mechanisms differ by jurisdiction, there are several common principles:
- Notice: individuals must be informed in advance what information will be collected, how it will be used and to whom it will be disclosed.
- Consent: individuals must be afforded some type of consent or choice regarding the use and sharing of their information.
- Data security: companies that collect, use and disclose personal information must take reasonable precautions to protect that information from loss, misuse, unauthorised access, disclosure, alteration and destruction.
- Access and correction: individuals must be able to access and, where appropriate, correct, update or suppress information collected about them.
- Data integrity: companies that collect personal information must take steps to ensure that it is accurate, complete and up to date.
- Data retention: companies must only retain personal information for the period of time it is required.
Established versus evolving data privacy regimes
Many jurisdictions in the Asia-Pacific region have comprehensive and established data privacy and data protection laws, including Australia, Hong Kong, India, Japan, Macao, Malaysia, New Zealand, the Philippines, Singapore, South Korea and Taiwan. These jurisdictions have generally adopted laws and regulations putting into effect the core principles of data protection discussed above. Indonesia has also moved towards establishing a more comprehensive regime, with its introduction of the Ministry of Communication Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems on 1 December 2016, although many principles of data privacy and data protection have not yet been fully developed.
Other jurisdictions in the Asia-Pacific region without comprehensive or consolidated privacy laws, including China, Thailand and Vietnam, are moving toward development of data privacy and data protection laws at different rates and in different ways.
The body of law in China that touches on issues of data privacy and data protection is contained in a multitude of legislation, including the General Rules of Civil Code, the Tortious Liability Law, the Criminal Law, the Consumer Protection Law and the Standing Committee of China's National People's Congress Decision on Network Information Protection dated 28 December 2012. More recently, on 1 June 2017, the Cybersecurity Law came into force, significantly developing the law regarding data protection and transfer.
China's new Cybersecurity Law governs a wide range of various technology- and network-related issues, including the protection and transfer of personal information. The law imposes far-reaching restrictions on how computer networks are to be operated. Two noteworthy features of the law are the requirement of data localisation and some heavy-handed restrictions on cross-border data transfer, which are discussed below.
In Vietnam, there is no consolidated law on data privacy and data protection. The laws touching on this area are found in multiple documents, including the Constitution, the Civil and Criminal Codes, the Consumers' Rights Protection Law, the E-Commerce Law, the Law on Information Technology, and the Law on Network Information Security. Together, however, these laws provide protection roughly in accordance with the core principles highlighted above.
Thailand has yet to implement a data privacy and data protection regime, although on 25 January 2018, the Thai Ministry of Digital Economy Society published the latest draft of the Thai Personal Data Protection Bill (PDPB) for its fourth public hearing and public consultation. On 22 May 2018, the Cabinet of Thailand approved a draft of the PDPB that will be read and considered by the National Assembly of Thailand for further enactment. It is unknown when exactly the PDPB will be passed into law and implemented. On the basis of the current draft of the PDPB, it is expected that the new law will grant individuals control over their personal information, and will require the individual's consent to the collection, use and disclosure of personal information. The current draft of the PDPB also introduces various protective measures aimed at preventing data privacy violations.
Relevant features of Asia-Pacific data privacy regimes in the context of investigations
Data privacy and data protection regimes in the Asia-Pacific region vary to some degree in their approaches. Important differences among the regimes relevant to the conduct of an investigation relate mainly to: (1) the role an individual's consent plays in the collection, use and disclosure of personal information; (2) a company's obligation to retain personal information for a limited period of time; and (3) the manner in which personal data can be disclosed or transferred across international borders.
The requirement to obtain consent
While Asia-Pacific jurisdictions generally impose a requirement to obtain an individual's consent before personal data is used or transferred, the same requirement does not necessarily apply equally in all jurisdictions with respect to the collection of personal data. For instance, in Australia, there is no requirement for organisations to obtain an individual's consent to collect information; entities need only ensure that the collection of the information is reasonably necessary for one or more of the organisation's functions or activities.3 Consent does play a role in Australia, however, where an organisation wishes to use or disclose personal information for any reason other than that for which it was collected.4 Hong Kong has adopted this same approach to the question of consent.5
Conversely, several jurisdictions do require that entities obtain the consent of the individual before personal information about that individual is collected. In Singapore, organisations may only collect, use or disclose personal data for the purposes for which an individual has given consent.6 Singapore law provides exceptions to the requirement of obtaining the individual's consent in the context of investigations, but only where the collection, use or disclosure is necessary, with an additional requirement for collection that it must be reasonable to expect that seeking consent would compromise the availability or accuracy of the personal data in question.7
In Japan, the position is more nuanced. Where the data is considered to be sensitive personal information – as opposed to merely personal information – the business operator in question is required to obtain the individual's consent to collect the data;8 where the information is not considered sensitive, Japanese law simply provides that the information must not be acquired through deception or other wrongful means.9 The term 'sensitive personal information' is defined as information specified by the Japanese authorities as requiring special consideration in handling to avoid any unfair discrimination, prejudice or other disadvantage to an individual based on the person's race, creed, social status, medical history or criminal records, or the fact that a person has incurred damages through an offence.10 Japanese privacy law provides an exception to the requirement to obtain consent for collection of personal data where such collection is needed to cooperate with public authorities and obtaining the individual's consent is likely to interfere with the public authorities' affairs.11 This exception also applies to the disclosure of personal data to a third party.12 This exception does not extend to internal investigations, however.
Under Taiwanese law, consent is not treated as a requirement, but rather as one of many conditions that may justify collection and processing of personal data. To comply with privacy law, data collection by Taiwanese data collectors and processors must meet one of the prescribed conditions in Article 19 of the Taiwan Personal Data Protection Law, as well as be for a specified purpose.13
Other countries that impose a general consent requirement for the collection of personal data include China, Indonesia, Malaysia, the Philippines and Vietnam.
Retention of personal data
Jurisdictions in the Asia-Pacific region, such as Australia, Hong Kong, Japan, Malaysia, the Philippines, Singapore, Taiwan and Vietnam generally do not specify time limits for the retention of data, but instead provide that, once the purpose for which the personal data was collected has been exhausted, the entity in question should cease to retain the information in question. In other countries (such as China and Indonesia), general book keeping laws and regulations relating to the archiving of data apply to the retention of personal information.
It should be noted that there might often exist a tension between local privacy law requirements for the retention and eventual destruction of personal information, and requirements or conditions imposed by government regulators and authorities when conducting public investigations. For instance, under the DOJ's FCPA Corporate Enforcement Policy, where companies seek limited credit for full cooperation with an FCPA investigation in circumstances where there was no initial voluntary disclosure, some of the factors the DOJ considers are whether there was: (1) 'timely preservation, collection and disclosure of relevant documents and information relating to their provenance'; and (2) 'appropriate retention of business records, and [prohibition of] the improper destruction or deletion of business records.'14 In respect of the first factor, the DOJ notes that where a company claims that disclosure of overseas documents is prohibited by reason of local data privacy laws, the burden is on the company to establish such prohibition.15
Therefore, in FCPA investigations at least, where proper disclosure of personal information cannot be completed because of data privacy laws governing the retention and destruction of such information, companies must be able to demonstrate that the non-retention or destruction of the data in question was done pursuant to and in accordance with mandatory laws governing data retention.
Cross-border disclosure and transfer of personal data
Rules for cross-border disclosure and transfer differ greatly among countries in Asia-Pacific. In general, the requirement imposed by jurisdictions in the region is that the entity sending personal data overseas must ensure that the recipient entity or country provides protection of personal information in a materially similar manner to the jurisdiction from where the data was sent, but this general requirement is not universally applicable. Where there is such a requirement, many Asia-Pacific data privacy and data protection regimes do not generally provide guidance on which countries are deemed to provide adequate protection. A way for companies to mitigate the risks of falling foul of these requirements when transferring data cross-border is by entering into contractual arrangements designed to adhere to a standard of data protection more closely aligned with the laws of the country where the data was initially created.
In Australia, where an entity discloses personal data to a recipient abroad, the entity sending the information must reasonably ensure that the overseas entity does not breach the Australian Privacy Principles set out in Schedule 1 of Australia's Privacy Act 1999.16 If the overseas entity breaches the Australian Privacy Principles, then the entity sending the information is taken as having breached those principles itself.17 However, exceptions exist if the entity sending the data reasonably believes that the recipient entity is subject to a data privacy regime that is materially similar to the position under Australian law.18 Where the entity in question is an agency, one of the additional exceptions applies where the entity believes that the cross-border transfer is reasonably necessary for an enforcement action.19
Japan imposes similar restrictions to Australia. In addition to the condition that the individual in question has provided his or her consent, Japan also permits the transfer of personal information overseas if: (1) the recipient entity has a system in place deemed compliant with the data protection standards under Japanese law; or (2) the recipient is located in a country with a data privacy regime deemed equivalent to the Japanese regime, as designated by Japan's Personal Information Protection Commission.20 Malaysia and Singapore have also adopted similar restrictions on cross-border data transfers.
Some other countries have introduced aspects of protectionism in their restrictions on cross-border data transfer. For example, under Taiwan's Personal Data Protection Law, where a non-government entity seeks to transmit personal information overseas, Taiwanese regulators may prevent transmission where such transmission is in respect of personal information that involves major national interests.21
The most critical example of this type of protectionism-driven transfer restriction is found in China's new Cybersecurity Law. The law creates a category of network operators known as operators of critical information infrastructure (CII Operator or CII Operators). CII Operators are operators of certain major computer networks, which include networks relating to public communications and information services, energy, finance, transportation, water conservation, public services and e-governance.22 Although China has released guidance on what it considers to be sectors with critical information infrastructure,23 which may be instructive in understanding what is considered a CII Operator under the Cybersecurity Law, it is still unclear whether any and all network operators who operate in one of the identified sectors are automatically considered CII Operators.
In terms of restrictions on cross-border data transfers, the Cybersecurity Law restricts the transfer of data collected by CII Operators by subjecting such transfers to a security assessment.24 It is not clear at present what such a security assessment will entail, as China's cyberspace administration bodies are still in the process of developing assessment measures. What is known, however, is that the cross-border transfer of data by CII Operators will become much more cumbersome.
The APEC privacy framework: towards harmonisation?
The Asia-Pacific Economic Cooperation (APEC) is a regional forum made up of 21 economies that seeks to secure growth and accelerate regional economic integration. Two APEC initiatives aim to harmonise standards for privacy and data protection around the Asia-Pacific region: The Cross-Border Privacy Rules (CBPR) System is a voluntary system for facilitating the exchange of personal information among participating APEC economies. The Privacy Recognition for Processors (PRP) System is a set of requirements intended to help personal information processors comply with relevant privacy obligations. The CBPR and PRP establish baseline protections but do not alter domestic laws.
Although all 21 APEC jurisdictions have endorsed the CBPR, to participate each must officially express their intent to join and meet requirements. On 20 February 2018, Singapore became the latest participating CBPR economy, joining Canada, Japan, Mexico, South Korea and the United States. As at the time of writing, 22 companies have also been certified under the CBPR by demonstrating compliance to an APEC CBPR-recognised accountability agent.
On 15 December 2017, APEC officially approved the United States as the first APEC economy to join the PRP system by demonstrating compliance with its baseline requirements for data protection to the APEC Joint Oversight Panel. On 20 February 2018, Singapore became the second APEC economy to join the PRP system. The Philippines and Taiwan have also submitted notices of their intention to join the CBPR and PRP systems in the near future.
Additional development to watch: influence of GDPR
The General Data Protection Regulation (GDPR) intends to strengthen and harmonise data protection laws within the European Union and regulate export of personal data. Unlike the APEC CBPR system, the GDPR is directly binding and applicable. The GDPR's influence in Asia-Pacific jurisdictions was apparent even before it became effective in May 2018.
Noting the GDPR's likely impact on non-EU businesses as a result of its extraterritoriality, Hong Kong's Privacy Commissioner for Personal Data (PCPD) has advised businesses to become GDPR-ready and has offered to advise and promote GDPR compliance. The PCPD is also conducting a comparative study of the GDPR and Hong Kong's Personal Data Privacy Ordinance, in consideration of parallel reforms that would facilitate free flow of information and commercial activities.
Similarly, when the Philippines developed implementing rules and regulations for the country's first comprehensive data protection law, it sought to harmonise with the European approach by including a right to object to profiling, a right to data portability, and a mandatory 72-hour data breach notification requirement.
Most recently, on 17 July 2018, the EU and Japan reached an agreement to create the world's largest area of safe data flow, recognising each other's data protection systems as equivalent.25 Once the agreement is adopted, it 'will cover personal data exchanged for commercial purposes, ensuring that in all exchanges a high level of data protection is applied'. The agreement also requires Japan to implement a set of rules providing individuals in the EU whose personal data is transferred to Japan with additional safeguards to address certain differences between the two systems and to implement a complaint-handling mechanism to investigate and resolve complaints from Europeans regarding Japanese authorities' access to their personal data.
Additional development to watch: the CLOUD Act
Historically, in the context of investigations and law enforcement, government regulators and investigators have faced significant problems with retrieving personal data that is stored outside their jurisdiction.
US lawmakers have attempted to address this problem. On 23 March 2018, President Trump signed the CLOUD Act into law, requiring certain US digital service providers that are served with court orders under the Stored Communications Act to turn over data no matter where stored, so long as it is within the US company's 'possession, custody, or control'. A second feature of the CLOUD Act is the regime permitting regulators of countries who have signed an executive agreement with the United States to request documents directly from US companies as long as the US digital service provider is subject to the jurisdiction of that foreign government. The CLOUD Act will thus substantially expand the power of investigators and regulators to retrieve data and documents from companies and data centres, wherever they are stored in the world.
It is thus crucial to appreciate that, in theory, all data – personal data included – is now more accessible to US authorities and countries with which the US has entered into an executive agreement under the CLOUD Act. This is important in the Asia-Pacific context, not least because, over the past few years, large US companies and cloud service providers have established data centres in key jurisdictions in the region,26 meaning that the United States may wield more power to compel production of personal information that was created in Asia and that is held by US cloud service providers.
Conducting an effective internal investigation and responding to requests and orders from authorities in connection with regulatory investigations are complicated by a company's need to comply with applicable data privacy and data protection laws. These complications are particularly evident in the Asia-Pacific region, where the data privacy and data protection framework is heavily fragmented and approaches to data privacy and data protection are so diverse. Although there have been some efforts to harmonise the applicable principles, these efforts fall far short of creating a uniform system of personal data protection. Companies must appreciate the nuances of applicable data privacy rules in each country and how they might affect the conduct of an internal investigation or the scope of their obligations to respond to requests or orders from applicable law enforcement authorities.
1 DOJ's FCPA Corporate Enforcement Policy, p. 3. Retrieved from www.justice.gov/criminal-fraud/file/838416/download.
2 Id., p. 4.
3 Australia's Privacy Act 1999, Sch. 1, cl. 3.
4 Id., Sch. 1, cl. 6.
5 Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486), Sch. 1 paras. 1(1) and 3(1).
6 Singapore's Personal Data Protection Act 2012, section 13.
7 Id., Sch. 2 para. 1(e), Sch. 3 para. 1(e), Sch.4.. para. 1(e).
8 Japan's Act on the Protection of Personal Information, Art. 16(1).
9 Id., Art. 17(1).
10 Id., Art. 2(3).
11 Id., Art. 17(2)(iv).
12 Id., Art. 23(1)(iv).
13 Taiwan's Personal Data Protection Act, Art. 19(5).
14 DOJ's FCPA Corporate Enforcement Policy, pp. 3–4.
15 Id., p. 3.
16 Australia's Privacy Act 1999, Sch. 1, sub-cl. 8.1.
17 Id., section 16C.
18 Id., Sch. 1, sub-cl. 8.2(a)(i)–(ii).
19 Id., Sch. 1, sub-cl. 8.2(f)(i)–(ii).
20 Japan's Act on the Protection of Personal Information, Art. 24.
21 Taiwan's Personal Data Protection Act, Art. 21.
22 China's Cybersecurity Law, Art. 31.
23 China's National Network Security Inspection Operational Guide, section 3.2; China's Regulations on the Security Protection of Critical Information Infrastructure, Art. 18.
24 China's Cybersecurity Law, Art. 37.
25 European Commission. (17 July 2018). The European Union and Japan agreed to create the world's largest area of safe data flows [Press release]. Retrieved from http://europa.eu/rapid/press-release_IP-18-4501_en.htm.
26 Visa. (26 July 2017). Visa Expands Global Transaction Processing with Facilities in Singapore and United Kingdom [Press release]. Retrieved from http://pressreleases.visa.com/phoenix.zhtml?c=215693&p=irol-newsarticlePR&ID=2288776; LinkedIn. (6 April 2016). LinkedIn's first data centre outside of the US comes online in Singapore [Press release]. Retrieved from https://news.linkedin.com/2016/linkedins-first-data-centre-outside-of-the-US-comes-online-in-Singapore; Kava, J., Google Vice President of Data Centers. (2 June 2015). Growing our data centre in Singapore. Retrieved from https://blog.google/topics/google-asia/growing-our-data-center-in-singapore/.