Comparing GDPR with Asia’s Data Protection Legislation

What are the similarities and differences between GDPR and the data protection regulations enacted in some Asian states? We look at the situation in Singapore, Japan and APEC.

Data is a global concern. When an individual in Tokyo can have their data processed in Dusseldorf by a company incorporated in Austin, knowing which data protection laws affect – and how – becomes critical to global trade.

Across Asia, several countries and states have enacted their own legislation to safeguard personal data.

In this post, we explore Asia’s data protection laws – Japan, Singapore and APEC, the Asia-Pacific Economic Cooperation forum, ask what similarities are shared with the EU’s General Data Protection Regulation (GDPR), and explore how they differ.

APEC Cross-Border Privacy Rules (CBPR) System

Objective:

APEC CBPR is a framework established by the APEC to facilitate the cross-border flow of personal data among member economies while ensuring privacy protection.

GDPR Consistency:

While not directly aligned with GDPR, the APEC CBPR shares a common goal of safeguarding personal data.

As you might expect from a forum which includes the US, Russia and China among its 21 signatories, complete alignment is often challenging, something you can clearly see in the application of CBPR. Whilst all APEC signatories have expressed an intention to join the CBPR at some point, only nine (including the US but not China and Russia) have done so to date.

Perhaps as a consequence, CBPR isn’t as joined up, prescriptive or comprehensive as GDPR, acting more as a standard than a regulation. CBPR-certified organizations are bound to comply with it, however, and compliance is enforceable, but the CBPR sits alongside domestic law.

The legal starting point for the two is also different, with GDPR a rights-based piece of legislation, while CBPR stems from securing data privacy in data transfers.

Singapore’s Personal Data Protection Act (PDPA) 2012

Objective:

The PDPA aims to regulate the collection, use and disclosure of personal data by organizations in Singapore. It emphasizes transparency, consent, and accountability in data handling practices.

GDPR Consistency:

PDPA and GDPR share similar principles such as data subject rights, purpose limitation, and data breach notification. There are, however, numerous differences.

◦ The rights conferred by the PDPA are more generalized than the GDPR. In particular, the PDPA contains no right to erasure, no right to object to the processing of personal data (although individuals can withdraw consent), and originally no right to data portability. This has since been altered by the Personal Data Protection (Amendment) Act 2020.

◦ The PDPA, with just one or two exceptions, contains no requirement for organizations to maintain records of processing activities.

◦ GDPR defines pseudonymized data (that is, data which could not be attributed to an individual without additional, separate information) and confirms that such data is subject to GDPR. PDPA makes no mention of it.

Japan’s Act on the Protection of Personal Information (APPI) 2003 (amended 2016)

Objective:

APPI sets rules for handling personal information in Japan, and emphasizes the importance of obtaining consent, maintaining accuracy, and protecting against unauthorized access.

GDPR Consistency:

There are numerous parallels between APPI and GDPR in terms of consent, purpose limitation, and security measures. Yet there are specific cultural and legal nuances that differentiate it from GDPR. These include:

◦ GDPR makes a distinction between data controllers and data processors. APPI does not, placing all “personal data handling operators” together.

◦ GDPR makes distinct provision for data used in connection with scientific or historical research. APPI does not.

◦ APPI does not recognize any right to data portability. GDPR does.

General Differences

Scope:

GDPR has an extraterritorial reach, applying to organizations worldwide if they process EU residents’ data. APEC, PDPA, and APPI primarily regulate within their respective jurisdictions.

Enforcement:

GDPR imposes substantial fines for non-compliance.

APEC, PDPA and APPI have their own enforcement mechanisms. While fines are included in the sanctions, they are typically smaller than the GDPR’s maximum penalty. The notable exception is CBPR, where the fine of 4% of global turnover is a direct match for GDPR. With APPI, however, the maximum single fine is JPY 1 million (around €6,000 at time of writing). Here though, imprisonment is also a possible sanction.

Does complying with Asia’s data protection laws guarantee compliance with GDPR?

No. Inevitably, compliance with any of the Asia’s data protection standards will make it easier to align with GDPR requirements (you can find a complete guide to the General Data Protection Regulation here), because many of the building blocks of compliance will already be in place.

But as the above summary demonstrates, the differences are sufficient to ensure that compliance with one standard does not automatically mean compliance with another (whether that’s the GDPR or another Asian standard).

GDPRLocal can help ensure that, wherever you operate and wherever you process data, you meet the compliance standards required of your organization, and keep your customers and reputation protected. Get expert support in managing your data protection here, or call +1 303 317 5998.