In the second part of a special series on technology in the legal sector, Leo Long looks at data protection and cybersecurity. Is regulation keeping up? And is your legal team adaptable enough to stay ahead of the curve?
While the world was still reeling from the WannaCry ransomware back in May, a newer, nastier and more intelligent virus called Petya broke the following month. This pair proved calamitous for many businesses and individuals, but more than that, the events hit home on the need for urgency in both regulation and adequate security of digital information, and nowhere is that more pertinent than with sensitive information banked at law firms and company legal departments.
While the cyber community is still trying to work out where the two attacks came from, for many, once abstract concepts of data protection and cybersecurity are quickly gaining traction.
“[The attacks] add another element of urgency that calls for especially large organizations to beef up their cyber intrusion detection and mitigation strategy – one of the major selling points of the new China Cybersecurity Law,” Stephen Yu, a director at AlixPartners in Shanghai, said recently.
Regarding internal risk management, how businesses can handle personal data without breaches is a challenge. Incidents of data theft around Asia are numerous. A recent report by security firm ThreatMetrix, which provides online authentication services, found 11.8% of e-commerce transactions in the Asia-Pacific were made up of fraudulent login attempts, as cybercriminals leverage patched-together stolen identities to carry out attacks on digital transactions.
Law firms are among the prominent potential targets “because of the confidential and privileged data that they hold, especially relating to M&A [merger and acquisition] activity,” says Paul Jackson, the Asia-Pacific leader of cybersecurity and investigations at Kroll, a global provider of risk solutions.
The Panama Papers, which involved an offshore law firm and the leakage of millions of confidential attorney-client documents in 2016, raised a large red flag for law firm managers. Many firms have employed strategies to boost cyber defences and data protection capabilities. With regard to in-house lawyers, the international Association of Corporate Counsel (ACC) in March published data security guidelines for in-house counsel, which among other things set out in-house expectations of external lawyers that have access to sensitive company data.
New rules and regulations on cybersecurity are expected to have a significant impact on businesses wanting to insure themselves against risks involved with the internet of things (IoT), big data and mobile payments as awareness grows.
For example, Japanese companies are showing great interest in the potential uses of big data and artificial intelligence (AI) in their businesses, according to Christopher Hunt, a Tokyo-based partner of Herbert Smith Freehills.
“We are also seeing those in manufacturing and heavy industry, in particular, increasingly grappling with IoT issues and the applicable regulatory landscape, bearing in mind the more developed position in Europe and the US,” says Hunt. “In addition, Japanese companies are increasingly taking an interest in how to insure against cyber risks as their understanding and awareness of the potential exposures grows.”
Jackson, from Kroll, adds: “APAC entities are generally – although not always – lagging behind when it comes to their cybersecurity posture and levels of spending to address this issue, but things are changing as stronger legal and regulatory frameworks are rapidly being implemented across the region, coupled with a greater understanding at a leadership level of the business impacts of data breaches.”
The resolution to change can be seen as notable campaigns are launched by governments, such as Singapore’s Smart Nation initiative, India’s Digital India, and Australia’s Cyber Security Strategy.
Regulators in some APAC jurisdictions are reviewing or amending existing laws and regulations to adapt to more challenging legal landscapes. For example, Japan’s newly-amended Act on the Protection of Personal Information was put into full effect in May 2017. And in July, Singapore sought opinions on proposed amendments to the Personal Data Protection Act (PDPA), and proposed a cybersecurity bill.
With scattered language in various rules and regulations on cybersecurity and data protection, some maturing countries are working hard to introduce more comprehensive laws. One of the notable results is the implementation of China’s Cybersecurity Law, which came along with other relevant regulations and rules in mid-2017.
Another is the Indonesia’s issuance of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (PDP Regulation) in December 2016, while some other major amendments were also made in the archipelago in the past year.
Zacky Zainal Husein, a Jakarta-based partner of Assegaf Hamzah & Partners, says the PDP Regulation is the first comprehensive data protection regulation under Indonesian law, although it is limited to personal data that are stored in electronic form. “However, it is still much in its infancy when compared to EU countries or Indonesia’s Southeast Asian neighbours, Singapore and Malaysia,” says Husein.
This developing status might also apply to neighbours such as Thailand and India, where comprehensive laws on either cybersecurity or data protection are yet to be put in place.
“The Information Technology Act, 2000 has been the only law dealing specifically with cyber crimes in India,” says Salman Waris, head of TMT and IP practice at TechLegis Advocate & Solicitors in New Delhi. “Considering the dynamic nature of cyber crimes and ever-evolving nature of technology, the IT Act has been criticized for its effectiveness, even after the amendments made in the past 17 years.”
Europe’s General Data Protection Regulation (GDPR), which will be implemented in 2018, stands out in the eyes of many countries for its relevant cyber and data legislation.
For example, in the implementing rules and regulations of the Philippines’ Data Privacy Act, a mandatory 72-hour data breach notification requirement is believed to be borrowed from the GDPR. Hong Kong’s Privacy Commissioner for Personal Data was also considering a possible revision of its two-decade-old Personal Data (Privacy) Ordinance in 2016 when reviewing the GDPR.
“It is being touted as the most stringent data privacy law around the world,” says Waris of TechLegis. “There are a few rights – as prescribed by GDPR – that the Indian data protection and privacy law should have as well.”
Another ground-breaking rule borrowed from the GDPR for APAC is the “right to be forgotten”. In 2016, Indonesia introduced this concept, claiming to be the first country in Asia to adopt it. In May 2016, South Korea also released guidance indicating that individuals can request website administrators and search engines to remove certain content related to personal data.
However, it is pointed out that this might prove problematic for marketplace or content producers. “The novelty of updating Indonesia’s main technology legislation to contemporary developments might be overshadowed by the inadequacy and brevity of the provision pertaining to ‘the right to be forgotten’,” says Husein.
A clear trend is that legal frameworks are becoming more stringent in many APAC countries as risks become clearer, and this can be demonstrated in many ways. One is the regulation on authorities’ power and the obligations of individuals and businesses within a jurisdiction.
China is a player known for such strict controls. In November 2016, President Xi Jinping in a video speech called for upholding “cyberspace sovereignty”, which means the government’s control over the internet.
“With respect to how advanced the cybersecurity framework is in China, we believe that China is taking a more stringent approach to cybersecurity and data security than, for example, the EU,” says David Tang, a Shanghai-based partner at Han Kun Law Offices.
Tang says this is because of the breadth of what types of data are proposed to be localized in China, the extent that cyberspace is actively regulated, and also the policy positions that the current administration has expressed regarding the concept of “cyberspace sovereignty”.
In another case, Singapore’s recent draft cybersecurity bill includes the powers of authorities such as the Cyber Security Agency of Singapore (CSA), the obligations of persons, and the regulation of critical information infrastructure (CII) and cybersecurity service providers.
“The Cybersecurity Bill gives the CSA powers to require any person to assist and co-operate in investigations, and also to take steps to prevent and respond to cybersecurity threats and cybersecurity incidents,” says Jack Ow, a Singapore-based partner at RHTLaw Taylor Wessing.
“The amount of information to be provided and the degree of co-operation that is expected will depend on the potential impact and/or the severity of the cybersecurity threat or cybersecurity incident,” he says.
Under the bill, there is also a pioneering licensing regime where certain cybersecurity service providers will be required to obtain a licence. Singapore is also considering a mandatory data breach notification system.
In Australia, meanwhile, in February 2017 the federal senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, establishing a mandatory notification system for data breaches.
Similarly, Indonesia’s PDP Regulation introduced a new policy that all electronic system providers that manage personal data electronically must certify their electronic systems according to the applicable standards under Indonesian law.
“However, since such certification has not been further stipulated under an implementing regulation, and is not carried out in practice, there is still much uncertainty for businesses on how to meet this requirement, especially considering that the PDP Regulation transitional period is ending on 1 December 2018,” says Husein.
In Thailand, the legal framework for data protection and cybersecurity is not well developed but the government is aware of the issues and is in the process of drafting relevant bills.
“Still, we do not expect that cybersecurity legislation will include any mandatory public disclosure obligations in the event of a breach in the foreseeable future. More likely is that we will see a possible reporting regime similar to the proposed new regime adopted by Singapore,” says Jeffrey Blatt, a Bangkok-based of counsel at Tilleke & Gibbins.
The requirements for data localization are also stringent in countries such as Australia, China, Indonesia and South Korea.
“Presently, the Cybersecurity Law [in China] provides that CII operators must localize personal information and important data that is collected or generated within China, and then such information may be subject to a security assessment if the collector wishes to transmit the information abroad due to business needs,” says Tang, from Han Kun, who also expects that current draft regulations in China will effectively broaden its requirement to all network operators, which would initially appear to be challenging with respect to both compliance and enforcement.
Indonesia also has particularly strict data localization rules specified in the Regulation No. 82 of 2012 on Implementation of Electronic Transactions and Systems (EITS Regulation). Like some of its neighbours, Indonesia has restrictions on specific sectors, such as health and banking. Its PDP Regulation also requires notification of overseas personal data transfers. “However, in practice it is unclear which sort of ‘overseas personal data transfer’ is required to be reported,” says Husein.
Although no express localisation requirement exists in some jurisdictions, there are relevant regulations concerning the transfer of person data.
“Where international transfers of personal data are concerned, then it is an express requirement under the PDPA that the transferring party must ensure, before transferring personal data overseas, that the receiving foreign party is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to the standard of protection prescribed in Singapore,” says Ow, from RHTLaw Taylor Wessing.
Despite the introduction of various laws, uncertainties exist, some caused by unclear definitions or scopes of key words in new regulations.
Victor Fu, a Beijing-based international partner at Haiwen & Partners, points out that the following two topics are frequently discussed in China: (1) regarding cross-border data transfer control, is it true that any network operator must be subject to the rules under recent opinion-seeking regulations?; and (2) how will the scope of the CII be determined in practice?
“These two questions are quite important for companies – especially multinational companies that have been used to setting up their IT resources abroad rather than localizing their resources in China – to decide where to put more IT resources,” says Fu. “However, so far the newly issued rules [drafts for comments only] have not yet provided clear answers to the above-mentioned two questions.”
In Japan, the Basic Cybersecurity Act, which came into force in November 2014, poses similar questions. “Consistent with its name, the act is somewhat basic in its requirements for businesses, imposing only very limited obligations on ‘critical infrastructure operators’, a term that the act does not define,” says Hunt, from Herbert Smith Freehills.
“The act’s introduction certainly reflects a step in the right direction. However, absent further legislative input, there remains a noticeable disparity between the cybersecurity obligations imposed on businesses operating in, say, the US or the EU, and those operating in Japan.”
With all the differing approaches to laws on cybersecurity and data protection in the APAC region, many believe it is critically important that countries consider how they can adopt standards to facilitate activities such as cross-border data transfer through a harmonization of the various regimes.
Some regional organisations are working hard in this direction. The Association of Southeast Asian Nations (ASEAN) put forward basic agreed principles at both national and regional level for member countries to boost data protection in the region in a joint statement in 2016.
“This is clearly an area where some harmonization is required, optimally by treaty and possibly led by ASEAN,” says Blatt from Tilleke & Gibbins. “Cross-border data transfers are a reality today, as is government lawful access of data for data stored/transiting a jurisdiction.”
The updated Privacy Framework (2015) of the Asia-Pacific Economic Co-operation (APEC) also mentions its aim to promote cross-border co-operation. The Cybersecurity Law of China, an APEC member-state, says its goal on international exchange and co-operation in cyberspace governance is to create “a multilateral, democratic and transparent network governance system”.
Tang, from Han Kun, believes that it is uncertain to what extent relevant rules in China will restrain the efficient cross-border flow of information and become an obstacle for enterprises doing business in China, because the regime has not been fully developed.
“In that regard, we would expect China to moderate its regulatory approach and devise compliance and enforcement mechanisms with its trading partners so as to balance the demands of business and national security,” he says.
This remains a stumbling block on the road towards regional harmonization. “Among other reasons, there are many countries in the Asia-Pacific bloc at different levels of economic development,” adds Ow.
However, he says there is reason for optimism. “The cross-border exchange of digital goods, services and even ideas between Asian economies could very well be a key driver towards harmonization in order to facilitate and regulate intra-Asia trade.”
In China, Fu from Haiwen says, for businesses related to IoT and big data, a more important issue is that such businesses heavily rely on the collection of information, and major impacts come from the broadly defined term “personal information”, which under the Cyber Security Law and relevant rules refers to various information recorded in electronic or any other form, and used alone or in combination with other information to recognize the identity of a natural person.
“If the coverage of personal information is broad and the requirement on personal information collection is applied, the collection of information and data in such businesses may be subject to various rules,” says Fu.
There is still plenty of room for improvement. Blatt says the issues relating to biometrics and IoT are being inadequately dealt with in the Asia-Pacific. “With regard to IoT cybersecurity issues, there is relatively little regulation at this point, or minimum standards,” he says. “IoT devices are, and will continue to become, ubiquitous, and be a weak link in cybersecurity.”
Biometrics is another sector that needs attention. Some APAC jurisdictions such as Japan and Taiwan introduced the concept of “sensitive personal data”, which includes a person’s medical record. Hong Kong also released the Guidance on Collection and Use of Biometric Data in 2015.
Biometrics is especially an issue for India. In August, about 20,000 records were reportedly leaked relating to India’s Aadhaar program, which is the world’s largest biometric identity system, with more than 1.1 billion enrolled members as of July 2017. India’s parliament passed the Aadhaar Act 2016 in March of that year to provide legal backing to the project.
“The act restricts the authorities from disclosing biometric information to any third party and imposes criminal penalties in case of any breach,” says Waris, from TechLegis. “However, the act does not address privacy issues outside the use of Aadhaar numbers and biometric information associated with Aadhaar.”