According to the Vietnam Government's official website, the Prime Minister of Vietnam signed Government Resolution No. 13/NQ-CP on February 7, 2023, approving the formulation of the Personal Data Protection Law. At the same time, the resolution also approved exceptions to the processing of personal data without the consent of the data subject. The Vietnamese Government promulgated Decree No. 13/2023/ND-CP, the Personal Data Protection Law (PDPD), on April 17, 2023, and the PDPD came into effect on July 1, 2023.
PDPD stipulates 11 rights for data subjects, including the right to know, the right to consent, the right to access, the right to withdraw consent, the right to delete, the right to restrict processing, the right to data portability, the right to object to data processing, the right to complain, report, and file a lawsuit, the right to claim, and the right of self-defense.
PDPD requires the subjects of cross-border data transmission to conduct an impact assessment on the transfer of personal data abroad, prepare relevant materials, and keep the files of impact assessment on cross-border data transmission ready for inspection and evaluation by the Vietnamese Ministry of Public Security. In addition, the party responsible for cross-border data transmission should fill out Form No. 06 of the PDPD and send it to the Vietnamese Ministry of Public Security within 60 days from the date of processing personal data. The party responsible for data transmission should notify the Vietnamese Ministry of Public Security of the situation of data transmission and the contact information of the organization or individual responsible for transmission after the completion of data transmission. The Vietnamese Ministry of Public Security will evaluate it and require the applicant with incomplete or inaccurate data transfer to improve the materials for the impact assessment on cross-border data transmission. In addition, the party responsible for cross-border data transmission should update the assessment materials according to Form No. 05 of the PDPD within 10 days from the date the content of the personal data cross-border transmission impact assessment file submitted to the Ministry of Public Security changes. Subject to special circumstances, the Vietnamese Ministry of Public Security may decide to inspect the situation of personal data export once a year based on the specific situation.
India
India's personal data protection legislation has undergone several changes, with the first version proposed in July 2018, followed by updates in 2019 and 2022, and on August 9, 2023, the Indian Upper House passed the draft of the Digital Personal Data Protection Act (DPDP) 2023. The DPDP Act includes provisions on effective date, definitions of key concepts and scope of application, cross-border data flow and exemption rules, revision requirements, coordination mechanisms with other laws, and penalty limits. The DPDP Act applies to data collected in India in digital form or subsequent digitization of non-digital forms, as well as related activities providing products or services to Indian data subjects outside of India. Among them, activities for personal or family purposes and personal data that are legally required to be disclosed by the data subject or other legally obligated parties have immunity. The Act stipulates that data controllers can process personal data with the consent of the data subject, and for minors under the age of 18, it must be agreed upon by their parents or legal guardians, or based on legitimate purposes, including:
- Based on any permits, benefits, or other responsibilities for the sovereignty and security interests, the Indian government has the right to disclose or fulfill its duties to data subjects;
- To comply with legal or court enforcement orders;
- For employment purposes;
- For emergency medical situations, epidemics, or disasters.
In addition, data controllers must also appoint a data protection officer. The Indian government has the right to classify data controllers as important data controllers, including:
- The sensitivity and quantity of data;
- The impact of data processing on the rights of data subjects;
- The impact on the sovereignty, security, and integrity of India.
Important data controllers will assume additional obligations, including appointing independent auditors and conducting data protection impact assessments. In addition, in terms of cross-border transfers, it is allowed to transfer personal data to countries outside of India, but the Indian government has not yet announced countries that meet the conditions set by the Indian government. The violation of the provisions of this act is set to a maximum fine of 2.5 billion Indian rupees (about 31 million US dollars).
Thailand
Thailand's first Personal Data Protection Act (PDPA) came into effect on June 1, 2022, after two delays, and includes provisions on data subjects' rights, data processors' obligations, and cross-border data transfers. According to the PDPA, it is clarified that data controllers and processors (whether public or private entities) must obtain the consent of the data subject before processing personal data, and they also need to clearly inform the data subject of the purpose and use of their personal data.
The bill explicitly grants data subjects the right to access, delete, correct, and object to the processing of their personal data, and data subjects have the right to request access to their personal data and have the right to delete this data. Data subjects also have the right to object to the collection, use, or disclosure of their personal data.
Data controllers and processors should take appropriate security measures to manage and store personal data to prevent the leakage of personal data and its illegal or unauthorized use. At the same time, within 72 hours after a personal data breach occurs, it must be notified to the Office of the Personal Data Protection Commission.
Data controllers and processors may not transfer personal data outside of Thailand without the consent of the data subject, unless it is in accordance with the law or necessary for the performance of a contract.
Indonesia
The Personal Data Protection Law (PDPL) of Indonesia was officially enforced on October 17, 2022, after being approved by the President, which includes principles of data processing by data controllers, rights of data subjects, and cross-border data transfer, among others.
Explicit consent of the data subject must be obtained for the processing of personal data, and the data controller should inform the data subject of: the legality, purpose, categories, methods, retention period, processing period, and the rights of the data subject. In addition to the consent of the data subject, other legal bases include necessity of contract, legal obligation, protection of the vital interests of the data subject, and the legitimate interests of the controller.
Data subjects have the right to be informed, to access, to correct, to withdraw consent, to delete, to object to automated decision-making, to limit the processing of their personal data, to data portability, and to sue the data controller or processor.
In terms of cross-border data transfer, in the order of priority: first, the level of personal data protection in the receiving country must not be lower than the standards of the Indonesian regulations; if not, secondly, the controller must ensure that there are sufficient and binding personal data protection measures; if still not, finally, the consent of the data subject must be obtained.
Australia
On February 16, 2023, the Australian Attorney-General's Department released the final report on the review of the Privacy Act 1988, titled '2022 Privacy Act Review Report', to seek public comments. The report proposes further reforms to the Act, including but not limited to: 1. Strengthening requirements related to consent and notification; 2. Introducing the concepts of 'controller' and 'processor', and updating the definition of 'personal information'; 3. Adding obligations regarding 'de-identification'; 4. Introducing new personal rights, such as the right to deletion; 5. Conducting mandatory privacy impact assessments for any 'high privacy risk activities'; 6. Providing additional protection for children and vulnerable groups; 7. Enhancing regulatory and enforcement efforts. The report states that 'consent' must be voluntary, informed, up-to-date, specific, and clear, and recommends that the Office of the Australian Information Commissioner (OAIC) develop guidelines on how to design consent requests for online services. The report expands the scope of personal information, clarifying that it will include technical information (such as IP addresses, device identifiers, and location data), inferred information (such as predictions of behavior or preferences). The report requires controllers to have privacy policies that are clear and understandable, and to establish children's online privacy rules for services aimed at children.
United States
In 2023, the United States will strengthen its regulatory efforts in the field of privacy protection. California, Virginia, Colorado, Utah, and Connecticut have successively passed data privacy laws. The 'California Privacy Rights Act' (CPRA) is an upgraded version of the 'California Consumer Privacy Act' (CCPA). CPRA introduces the concept of 'sensitive personal information', the right to correct, and the newly established state privacy protection agency (CPPA), which greatly enhances consumer rights. CPRA came into effect on January 1, 2023, still leaving enterprises 6 months to make corrections, and enforcement began on July 1, 2023 (6 months after the effective date). The 'Virginia Consumer Data Protection Act' (VCDPA) came into effect on January 1, 2023. The 'Colorado Privacy Act' (CPA) and the 'Connecticut Data Privacy Act' (CTDPA) officially began to take effect on July 1, 2023. The 'Utah Consumer Privacy Act' (UCPA) will come into effect on December 31, 2023.
Japan
The latest revision of Japan's 'Personal Information Protection Law' (APPI) was implemented on April 1, 2023. Since the promulgation of APPI in 2003, it has been revised in 2015, 2020, and 2021. According to the official website of the Japan Personal Information Protection Commission (PPC), the new version of APPI is divided into a total of eight chapters, including General Provisions, Responsibilities of National and Local Governments, Personal Information Protection Measures, Obligations of Operators in Handling Personal Information, Obligations of Administrative Organs, the Personal Information Protection Commission, Other Provisions, and Penalty Provisions.
This revision unifies the legislation originally scattered, merging the 'Personal Information Protection Law', the 'Administrative Organs Personal Information Protection Law', and the 'Independent Administrative Institution Personal Information Protection Law' into one, and also covers the 'Personal Information Protection Regulations' of local public corporations, to be managed uniformly by PPC.
South Korea
On February 27, 2023, the National Assembly of South Korea passed a proposal to revise the 'Personal Information Protection Act' of 2011 (PIPA). According to the official website of the Korean legislation that can be queried, the content added on March 14, 2023, includes but is not limited to the right of data subjects to portability, the right to refuse automated decision-making, the protection of children's personal information, special provisions for cross-border transfer, and the addition of September 30 as the Personal Information Protection Day. This revision will take effect on September 15, 2023.
Russia
On July 6, 2022, the Federal Law No. 266-FZ on Amending the Federal Law 'On Personal Data' (revised bill) was passed by the State Duma of the Russian Federation, and on July 14, 2022, the President of Russia officially signed Federal Law No. 266. The revised bill made major amendments to the Federal Law No. 152-FZ 'On Personal Data Protection' passed on July 27, 2006, including cross-border transfer, personal biometric data, data breach reporting, etc. The revised bill came into effect on September 1, 2022, but some provisions related to cross-border data transfer were postponed to March 1, 2023.
This revision has added a prior notification procedure for cross-border transfer of personal data. Starting from March 1, 2023, operators, in addition to fulfilling the notification obligation for personal data processing to the Federal Service for Supervision of Communications, Information Technology, and Mass Media of the Russian Federation (RKN) as stipulated in Article 22 of the Personal Data Protection Law, must also notify and submit materials before starting cross-border data transmission, and the RKN will assess whether additional information needs to be provided. To confirm the accuracy of the notification content, the RKN may require the sender to provide the relevant information obtained from the data recipient previously:
The protective measures taken by the data recipient for the transmitted data and the conditions for stopping the processing of the aforementioned data before it is stopped;
If the country has not been listed on the list of countries with sufficient protection, it is necessary to provide the legal provisions of the receiving country regarding personal data;
The relevant information of the data recipient (name, contact phone number, communication address, and email address)
If requested, the sender shall provide the information within 10 working days after receiving the request, and it may be extended to a maximum of 15 working days if there is a justified reason.
If the receiving country is on the list of countries with sufficient protection provided by the RKN, cross-border transmission can be carried out immediately after the notification. Subsequently, if the RKN reviews the notification content and decides to prohibit or restrict the cross-border transfer of personal data for the purpose of protecting the moral, health, rights, and legitimate interests of citizens, or according to Article 12, Paragraph 12 of the Personal Data Law of the Russian Federation to protect the constitutional foundation, national defense security, economic interests, etc. of the Russian Federation, the sender shall stop or restrict the cross-border transfer as required.
If the receiving country does not belong to a country with a full adequacy recognition, the sender shall wait for the RKN to examine its notification content, unless the cross-border transfer of personal data is necessary to protect the life, health, or other vital interests of the data subject or others. The waiting time is 10 working days after the RKN receives the notification.
It should be noted that the relevant provisions on cross-border transmission do not affect the provisions added to the Federal Law No. 242 in the 'Personal Data Law of the Russian Federation'. Operators shall localize the processing of personal data of Russian Federation citizens and have the obligation to report the addresses of databases within Russia to RKN.
Saudi Arabia
According to the official website of Saudi Arabia, Royal Decree No. M/19 on September 17, 2021, approved Resolution No. 98 on September 14, 2021, which is the 'Personal Data Protection Law' (PDPL). This resolution was published in the official gazette on September 24, 2021. According to Article 43 of the PDPL, the PDPL will take effect on March 23, 2022 (180 days after the date of publication), but due to various reasons, the Saudi Data and Artificial Intelligence Authority (SDAIA) decided to postpone the effective date to March 17, 2023. In addition, on July 11, 2023, SDAIA initiated two public consultations, namely the draft 'Regulation on the Implementation of the Personal Data Protection Law (PDPL) (Draft)' revised on March 21, 2023, and the 'Draft Regulation on Cross-border Transmission of Personal Data Outside the Kingdom Geographical Boundaries (Draft)', also known as the 'Draft Regulation on Cross-border Transmission of Personal Data (Draft)'.
PDPL requires the principle of transparency. The data controller should achieve transparency through privacy policies, specifying the purposes, categories, methods, storage, processing, and destruction methods of personal information, as well as the rights of data subjects and how to exercise these rights. Before collecting personal data, the data subject must be allowed to view the privacy policy. The data subject shall have the right to be informed, access, transfer, correct, refuse processing, withdraw consent, and file any complaints with the competent authorities for any violations of PDPL and administrative regulations. The draft implementing regulations of PDPL supplements and further clarifies the provisions of PDPL.
The current PDPL strictly restricts the transfer of personal data to overseas countries. The 'Regulation on Cross-border Transmission of Personal Data (Draft)' stipulates the rules for data transmission under the condition of the lack of appropriate personal data protection levels in third countries. According to the 'Regulation on Cross-border Transmission of Personal Data (Draft)', the data controller shall first determine that the relevant provisions of the third country (or its specific department) or international organization will not have a negative impact on the privacy protection of the data subjects or the exercise of their relevant rights. At the same time, the data controller shall adopt corresponding safeguard measures, such as binding corporate rules (BCRs), standard contract clauses (SCCs), or certifications in line with PDPL and its regulations, or binding codes of conduct.
The global legislative progress is continuously deepening. Enterprises with overseas needs must not only enhance their own data security capabilities but also grasp the different developments and trends of data protection in various countries to meet compliance requirements at home and abroad.
评论已关闭