Privacy Enforcement in APAC: Privacy Breach Penalties by APAC Regulators
Privacy breaches and enforcement in Europe, the US, and Australia garner much media attention in Australia. But there are many countries in the Asian-Pacific region (APAC) with privacy laws – and regulators that are enforcing them. Let’s take a look at privacy enforcement in APAC:
Privacy Enforcement in APAC
Japan’s Privacy Law
Japan’s comprehensive data protection act, known as APPI, was amended in 2020 and came into effect on 1 April 2022. This law brings Japan’s data subject rights into close alignment with Europe’s GDPR, including requiring (amongst other things):
- Mandatory data breach notifications;
- Consent to transfer personal data outside Japan; and
- Pseudonymisation in certain circumstances.
Privacy Enforcement in Japan
Privacy enforcement in Japan is overseen by the Personal Information Protection Commission (PPC). Under the amended law, the potential financial penalty was increased to up to 100 million yen (or just over $1 million AUD) for privacy breaches.
However, one of the most notable privacy enforcement decisions in Japan came just prior to the amendments. The Rikunabi scandal arose when an online platform service was found to be sharing the personal data of students to customer companies without the students’ consent. The personal data being shared related to profiles created by the online platform that calculated the ‘possibility [by percentage] of declining job offer’. These scores were calculated based on the students’ browsing histories and this information was supposed to be de-identified. However, the customer companies could (and did) reidentify the information.
The issues in this matter led to Japan’s PPC drafting new rules regarding data transfers in 2020. The company was ordered to improve privacy protections, too but it doesn’t appear that a penalty was imposed (possibly because of the deficiencies in Japan’s previous privacy law).
South Korea Privacy Law
South Korea’s constitution recognises the right to privacy and privacy of communications as fundamental rights. Additionally, South Korea has a comprehensive privacy law called the Personal Information Protection Act 2011. The law centres heavily around consent from the data subject and is very prescriptive in terms of the handling of personal data throughout its lifecycle. It is enforced by multiple bodies, including the Korean Communications Commission (KCC), Korean Financial Services Commission (FSC), Personal Information Protection Commission (PIPC), and Korean Internet and Security Agency (KISA).
Privacy Enforcement in South Korea
The regulators in South Korea are not averse to imposing significant financial penalties for privacy breaches. For example, the KCC imposed a penalty of 186 million KRW ($207,000 AUD) against TikTok in 2020 for collecting the personal information of minors under 14 without parental consent. TikTok was also hit with a further $6,700 AUD fine for failing to disclose overseas transfers of personal information.
Singapore Privacy Law
Singapore’s Personal Data Protection Act 2012 (PDPA) is enforced by the Personal Data Protection Commission (PDPC). The 2012 bill was comprehensively revised in 2020 and came into effect in 2021. The changes included introducing mandatory data breach notification requirements, as well as the ability for the PDPC to impose financial penalties of up to 10% of an organisation’s annual turnover in Singapore where the organisation’s turnover exceeds 10 million SGD. For other organisations, the available penalty is up to 1 million SGD. That said, the changes to the financial penalties do not come into effect until October 2022.
Singapore Privacy Enforcement
The PDPC’s highest penalty to date was imposed on SingHealth Services Pte Ltd and Integrated Health Information Systems Pre Ltd in the wake of a 2019 cyber-attack on a patient database. The cyber-attack was enabled by the failure of security controls, including unpatched servers, and delays in responding to evidence of cyber-attacks. The intrusion resulted in the personal information of 1.5 million individuals being breached (including that of Singapore’s Prime Minister). As a result, the companies were fined 250,000 SGD (or $257,000 AUD) and 750,000 SGD (or $772,000 AUD) respectively.
Privacy 108 and OneTrust
Privacy 108 is a OneTrust partner. Our team can help you configure your OneTrust platform and create a bespoke solution that works for your organisational needs and obligations. We can help you to align your privacy program with your business processes and operationalise a solution that accelerates your path to compliance, whilst maximising your return on investment.
Whether you have already implemented OneTrust, or you wish to start soon, we can help you create enduring value and get the most from the tool by building a customised solution for your organisation and optimising your implementation in accordance with legislation applicable to your organisation.