Convergence of data privacy laws in Asia: ABLI’s project showcased at 3rd Paris Peace Forum

By Dr. Clarisse Girot

Since 2017 the Asian Business Law Institute (ABLI) has been offering an apolitical, non-institutional, non-profit, and trusted platform of regional cooperation to advance multi-stakeholder discussions on convergence of data privacy laws in APAC.

The timeliness of such discussions has been enhanced by the current Covid-19 crisis and we welcome the opportunity to pitch our project at the upcoming edition of the Paris Peace Forum in November.

The crisis has accelerated the take-up of technology across many sectors, and governments have harnessed digital technologies to support the public-health response to the virus among others through population surveillance, contact tracing, and use of mobility data. The future 5G mobile network will accelerate the use of data transmissions, all of which are dependent on smooth and secure cross-border data flows.

Yet Asia, in particular, remains a patchwork of different laws governing the collection, use and transfer of that data, despite drawing on the same sources, like the OECD Privacy Guidelines, the APEC Privacy Framework and Europe’s General Data Protection Regulation.

For instance, different rules apply in the regulation of cross-border data transfers in the Asia-Pacific. Transfers may be authorised or prohibited by default, subject to exceptions that vary. Jurisdictions like China, India, Indonesia and Vietnam have imposed strict obligations to localise their citizens’ data, citing digital-sovereignty and national-security concerns. Individual consent is a default requirement to transfer data overseas in some, not all jurisdictions. Consent may be understood differently. Not all compliance mechanisms that companies may use to transfer data as alternatives to consent are recognised in all jurisdictions.

Because of the interdependence of data-flows frameworks, decisions originating outside Asia also have major implications for policy and practice of privacy, in Asia and globally. For instance, the decision of the European Court of Justice striking down the Privacy Shield, a data-transfer agreement between the EU and the United States, or the presidential order given to ByteDance to…