Dentons Privacy Community met on September 15, 2021 to discuss how to approach international data transfers in Asia, in particular Singapore, Korea, Hong Kong and China. The session explored the evolving regulatory landscape, the key rules and transfer solutions, and recent legislative developments. Below are the key takeaways. 

Singapore

  • In addition to transfer solutions that will be familiar to privacy professionals in Europe, such as contracts and binding corporate rules, data exporters in Singapore can rely on certification mechanisms to facilitate cross-border transfers: the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors. These multilateral certification mechanisms ensure certified organizations have policies that are consistent with the APEC framework and allow data transfers within participating APEC countries.
  • Furthermore, the ASEAN Model Contractual Clauses (MCCs) were launched in January 2021. These template contractual clauses are a transfer solution that can be included in contracts for transfers within ASEAN member states, or they can be modified for transfers to businesses in other jurisdictions. They provide a legal basis for transfers, address key issues, and reduce the time and costs associated with negotiations. However, organizations relying on them still need to ensure they are complying with member state’s broader requirements. For example, Singapore Personal Data Protection Act (PDPA) recommends certain adjustments to the MCCs.

South Korea

  • Last year, three overlapping privacy-related laws were consolidated into the Revised Personal Information Protection Act. Provisions governing international transfers impose requirements on “information and communications services providers” where they intend to transfer data abroad.
  • Consent is generally required for data transfers from South Korea, although exceptions may apply where exporters provide for this in their privacy notice or notify data subjects directly. Exporters must also negotiate with recipients of personal data to ensure suitable safeguards are included in the agreement governing the transfer. 

Hong Kong

  • Organizations intending to transfer data outside of Hong Kong face a choice: operating strictly within the provisions of the principle-based Personal Data (Privacy) Ordinance (PDPO) as they currently are, or taking account of Section 33 of the PDPO, —which is not yet in force. Many large companies and financial institutions choose the latter.
  • Under Section 33 of the PDPO, organizations can rely on a number of transfer solutions. Transfers are permitted:
  • to countries on the “white list” (yet to be published),
    • countries which, in the exporter’s reasonable view, offer a substantially similar level of protection to Hong Kong’s,
    • with the data subjects’ consent,
    • in order to avoid or mitigate adverse action,
    • or subject to certain statutory exemptions.

In addition to the above, there is a final “catch-all” that permits transfers where the exporter has undertaken appropriate due diligence and taken reasonable precautions to ensure that the data transferred will not be processed in a way that breaches the PDPO.

China

  • In August 2021, China passed the Personal Information Protection Law (PIPL), which comes into effect on November 1, 2021. Currently, restrictions on cross-border transfers apply in respect of:
  • The type of exporter—with Critical Information Infrastructure Operators (CIIOs) subject to more stringent obligations than the broader category of Network Operators
    • The categories of personal information, with robust restrictions on exporting financial and medical data
    • International judicial assistance, with prohibitions on providing personal data stored within China to foreign law enforcement authorities
  • Once it comes into effect, the PIPL will introduce three pre-conditions for cross-border transfers: requirements for a comparable protection standard of foreign processing, separate consent, and for exporters to carry out impact assessments and maintain records. In addition, there will be three approaches to cross-border transfers: a security assessment coordinated by the Cyberspace Administration of China (CAC), which will be compulsory for CIIOs (although the precise scope is to be confirmed); a protection certification from an accredited institute; or a standard contract with the overseas recipient to be formulated by the CAC.
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Marc Elshof

About Marc Elshof

Marc Elshof is a partner in our Amsterdam office and Co-Head of Europe Data Privacy & Security. He has specialised experience in complex IT and data protection matters.

Full bio

Tatiana Kruse

About Tatiana Kruse

Tatiana is legacy head of the Intellectual Property and Technology and Communications practices and is now Of Counsel in the Firm's London office, having retired from the partnership.

Full bio

Gilbert Leong

About Gilbert Leong

Gilbert Leong is a senior partner and Head of Dentons Rodyk's Intellectual Property and Technology practice group. He is also Co-Head of the Patents, Tech, Media & Telecomms, Licensing, Data Privacy & Protection and Cybersecurity practices.

Full bio

Desmond Chew

About Desmond Chew

Desmond is a Partner in Dentons Rodyk's Intellectual Property and Technology practice, and has been with the firm since 2015. His area of practice primarily focuses on technology, privacy and cybersecurity laws.

Full bio

MawJiun Foo

About MawJiun Foo

Foo Maw Jiun is a partner in Dentons Rodyk's Intellectual Property & Technology practice group and Co-Head of the Patents practice. He is also Co-Head of the Data Privacy & Protection and Cybersecurity practices.

Full bio

Sung-Ha PARK

About Sung-Ha PARK

Sung-Ha Park is an Attorney at Dentons Lee and is in charge of litigation and advisory services in relation to investment by foreigners in various fields such as M&A, capital market, fair trade, etc. Park is rendering advice to companies which carry out different businesses at home and abroad and handling various civil lawsuits.

Full bio

Andrew Park

About Andrew Park

Andrew Park is a Senior Managing Attorney at Dentons Lee. Having practiced law for 30+ years in both the US and Korea, Mr. Park is uniquely positioned to counsel clients on today’s national and cross-border transactions. He blends his expertise in the laws of both jurisdictions and his deep business networks, together with his understanding of the nuances of doing business in the East and the West, to successfully guide clients, and to close deals.

Full bio

Julianne Doe

About Julianne Doe

Julianne is a corporate partner in Dentons' Hong Kong office, with an emphasis on M&A, capital markets and corporate finance. She has more than 20 years of experience in structuring strategic and acquisition and investment transactions, including cross-border M&A and private equity, as well as bringing companies to initial public offerings and other forms of capital raising.

Full bio

Ken (Jiamin) Dai

About Ken (Jiamin) Dai

Ken Dai is a key partner in Competition and Antitrust practice in Dentons’ China region.

Full bio

RELATED POSTS