Vietnam’s long-awaited, first-ever Personal Data Protection Decree (“PDPD”) has finally been passed and is scheduled to take effect from 1 July 2023 (save limited grace period exceptions).

The PDPD is the first comprehensive data protection regulation consolidating Vietnam’s existing data protection regulatory framework (which is found across various legal instruments).

Given the tight timelines, businesses which engage in or relate to personal data processing activities in Vietnam, are advised to take prompt action to ensure compliance.

The most notable provisions of the PDPD relate to the compliance requirements in general processing and cross-border transfers of personal data.

Highlights of the PDPD

• Consent: the primary legal basis for processing personal data remains to be consent.
• Data Protection Impact Assessment (“DPIA”) Profile: data controllers are required to prepare and maintain DPIA Profiles for their personal data processing activities. In certain circumstances DPIA Profile may need to be submitted to the regulators.
• Cross-Border Transfer of Personal Data: in order to transfer personal data outside of Vietnam, organisations must complete and submit a Dossier of Impact Assessment for Cross-Border Personal Data Transfer (“TIA Dossier”). The regulators may halt data transfers in situations where an organisation violates national security, submits an incomplete TIA Dossier, or loses or discloses personal data of Vietnamese citizens.
• Data Localisation: surprisingly, the PDPD has not addressed the issue of data localisation. This said, organisations should continue to observe developments on this, and follow existing laws and regulations, notably the interaction between PDPD and the Cybersecurity Law (Decree 53).
• DPO: organisations may need to appoint and register its DPO with the authority, especially if sensitive personal data is processed.
• Data subject rights: certain data subject rights are now subject to a 72-hour handling deadline.
• Data incident: data breach incidents must be notified within 72 hours of the occurrence.

What next – practical steps

In view of the tight timescales to ensure compliance with the PDPD, organisations should speed up in brushing up their existing data privacy programmes and remedy any inconsistencies with the PDPD requirements.

Please contact Carolyn Bigg, Venus Cheung, or Gwyneth To if you have any questions or to see what this means for your organisation.

It’s now the time to focus on the steps that data controllers need to take to legitimize overseas processing of China personal information via the CAC certification route.

Background: While most PRC data controllers should have already identified whether to follow the CAC assessment/approval route (see our summaries click here and click here), the China SCCs route (see our summary here) or a specific route for regulated industries, and have started complying with the requirements of that route, until now non-PRC data controllers processing China personal information have known they likely have to follow the CAC certification route, but not understood what that entails.

Now, closely following the China SCCs being finalised, the Draft Guidelines on Certification Requirements for Cross-Border Transfers of Personal information (“Draft Guidelines”) – the final one of the three main routes to legitimizing cross-border transfers – were published for public consultation on 16 March 2023.

Who may go through the CAC certification route:

1. non-PRC data controllers of China personal information; and
2. a limited number of PRC data controllers who only transfer China personal information outside of Mainland China to its group companies (and no onward transfers beyond the group) and who do not meet the thresholds for the other three cross-border data transfer (“CBDT”) routes.

By way of reminder of the other CBDT routes:

• organisations that meet the thresholds for the CAC assessment/approval route are: (1) organisations designated as a Critical Information Infrastructure Operator; (2) organisations that export “important data”; (3) organisations that process personal information of more than one million individuals and intend to export some of it; or (4) personal information controllers that transfer overseas (i) personal information of more than 100,000 individuals in aggregate, or (ii) sensitive personal information of more than 10,000 individuals in aggregate, where “in aggregate” means in the period from 1 January of the preceding year;
• organisations that meet the China SCCs route are PRC data controllers that do not meet the CAC assessment/approval thresholds and transfer data outside of China beyond just their own group of companies; and
• certain regulated industries will need to follow a route specified by their industry regulator.

What is the CAC certification route: those that must follow the CAC certification route will have to take the following five steps to legitimize the cross-border transfer of China personal information:

1. Legally binding agreement: a DPA containing prescribed obligations must be put in place by the data controller with the overseas recipient of the China personal information to ensure the rights and interests of data subjects are adequately protected. The agreement should at a minimum include:
   • • basic information about the data controller and overseas recipient;
     • purpose, scope, type, sensitivity, quantity, method, retention period, storage location of cross-border data processing;
     • the responsibilities and obligations of data controllers and overseas recipients in protecting personal information;
     • data subject rights, and the means of safeguarding such rights;
     • relief, termination, liability for breach, dispute resolution etc.;
     • the overseas recipient undertaking to comply with the same set of obligations as the data controller for CBDT, and that the level of protection does not fall below the standards stipulated by the requirements under PRC laws and regulations;
     • the overseas recipient undertaking to be subject to ongoing monitoring of cross-border processing of personal information by the CAC certification body (see below);
     • the overseas recipient undertaking to accept the jurisdiction of PRC data protection laws and regulations;
     • a clearly specified legal entity within the PRC being responsible for fulfilling obligations to protect personal information;
     • the data controller and overseas recipient undertaking to assume civil liability for the infringement of personal information rights, and clearly agreeing on the civil liability assumed by each party; and
     • other obligations under applicable laws and regulations.

Data subjects are given third party beneficial rights under the legally binding agreement, which enable them to exercise their data subject rights and seek recourse directly from the overseas recipient.

Organisations may consider entering into the China SCCs as a starting point, and supplementing them as appropriate (i.e. including requirements such as ongoing monitoring by the CAC certification body).

2. Organisational management: the data controller must:
   • • appoint a DPO: the Draft Guidelines set out the scope of responsibilities of the DPO, but do not clarify where (i.e. inside or outside of Mainland China) the DPO should reside, and how this aligns with the “legal representative” concept for non-PRC data controllers in the Personal Information Protection Law (“PIPL”) (and mentioned above in connection with the legally binding agreement); and
     • establish a “Personal information Protection Agency” within its organisation to fulfil the obligations of personal information protection (most notably conducting PIIAs, regular compliance audits, and cooperating with the certification body as part of their ongoing supervision of cross-border processing activities). Again, the Draft Guidelines unfortunately don’t specify where and how this should be established for non-PRC data controllers.
3. General rules for handling personal information: putting in place a data protection compliance programme to ensure that China personal information is processed to standards akin to the PIPL and other China data protection laws, such as data security and data retention.
4. PIIAs: undertake a personal information impact assessment (“PIIA”, China’s version of the GDPR DPIA) for each overseas transfer.
5. Certification process: the Draft Guidelines do not elaborate on the actual “certification” process and timelines, save that the certification bodies are being appointed by local CAC branches to undertake ongoing supervision of those that must follow the CAC certification route. This indicates that some form of registration or more will be required, and somewhat surprisingly suggests that monitoring will be of both the data controller and overseas recipients of the China personal information.

CAC certification is not the only CBDT compliance step: taking the above CAC certification steps alone do not legitimize the cross-border transfers of personal information. If you are subject to the CAC certification framework, do not forget the need to obtain separate, explicit consent from data subjects for the cross-border data transfer (on top of general consent to data processing and other separate consents for processing of (inter alia) sensitive personal information).

Next steps

Public consultation on the Draft Guidelines closes on 15 May 2023. It is not uncommon for changes to be made to the Draft Guidelines before they are finalised, so organisations should closely monitor developments over the coming months. In the meantime, organisations should press ahead with the other CBDT compliance steps outlined immediately above in anticipation of the CAC certification process being finalised.

Please contact Carolyn Bigg (Partner) or Amanda Ge (Of Counsel) if you have any questions or to see what this means for your organisation.

Singapore’s Personal Data Protection Commission (“PDPC”) has issued its first decision on the Legitimate Interests Exception under the PDPA.

While the PDPA remains largely a consent-based regime, the Legitimate Interests Exception is one of the exceptions from consent available under the PDPA.

This RedMart decision illustrates how organisations may rely on the Legitimate Interests Exception to collect personal data, as well as the steps which must be taken by the organisation in order to rely on the Legitimate Interests Exception.

The decision concerned a complaint against RedMart Limited (“RedMart”) for collecting the photographs of identification documents (“ID Photographs”) of its suppliers delivering goods and produce to its warehouses without obtaining the consent of its suppliers. RedMart is an online grocery company, selling a range of dry household products.

In the PDPC’s preliminary decision, RedMart was given directions to assess its collection of the ID Photographs.

However, the PDPC was subsequently satisfied that RedMart had not breached the PDPA, as RedMart’s collection of ID Photographs had met the requirements under the Legitimate Interests Exception:

1. RedMart had a legitimate interest in deterring food security incidents at the warehouses, in which there were areas storing dry food and fresh produce that were vulnerable to contamination and tampering;
2. RedMart may have a legitimate interest in implementing enhanced identification requirements (collection of ID Photographs) in order to establish/verify the identifies of visitors to a high degree of fidelity and to regulate access to areas with higher risk of food security incidents – RedMart has an interest in deterring and investigating potential food security incidents which could cause harm to the public and damage to RedMart’s reputation; and
3. RedMart had implemented a range of measures and enhanced access controls (e.g. restricting access to the tablets used for data collection, limiting access to the ID Photographs to designated personnel, retaining the ID Photographs on their database for a limited period only) to significantly lower the risks of unauthorised access, use and/or disclosure of information of a sensitive nature such as the ID Photographs.

Key takeaways

Organisations intending to rely on the Legitimate Interests Exception must:

• establish a standardised process for conducting and assessing the basis upon which they will be relying on this exception; and
• ensure that appropriate measures are implemented to mitigate against any risks and adverse effects on individuals.

To recap, in order to rely on the Legitimate Interests Exception, organisations must:

1. evaluate whether the collection of such data is reasonably necessary for the organisation’s legitimate interest;
2. identify whether the collection of such data is likely to have an adverse effect on the individual(s), and if so, identify reasonable measures that could be implemented to eliminate, mitigate, or reduce the likelihood of occurrence of any such adverse effect(s);
3. determine whether the organisation’s legitimate interest served by the collection of such data outweighs the adverse effect(s) to the individual(s) after implementing reasonable mitigation measures; and
4. provide the individual(s) with reasonable access to information about the organisation’s collection, use or disclosure of such personal data (e.g. by way of disclosure in its public data protection policy).

The PDPC’s decision may be accessed here.

Please contact Carolyn Bigg (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.

Summary: The final version of the China SCCs has now been published, meaning those organisations that haven’t had to apply for CAC approval for their cross-border transfers of personal information now have until 1 December 2023 to:

• sign the China SCCs with overseas recipients of personal information; and
• file a copy of the signed China SCCs and accompanying PIIA with the local branch of the CAC.

Otherwise, cross-border data transfers must stop until these steps are taken for those organisations that must follow the China SCCs route).

Additional guidance has been given to support those organisations assessing whether they must follow the CAC assessment/approval or China SCCs routes.

Background: The long-awaited final version of the China standard contractual clauses for cross-border transfers of personal information (“China SCCs”) were finally published on 24 February 2023 by the Cyberspace Administration of China (“CAC”) via the Measures for Standard Contracts for Transferring Personal Information Overseas (“Measures”).

Timing: There is a grace period until 1 December 2023 for personal information controllers to:

• sign the new China SCCs with overseas recipients of their personal information; and
• file a copy of the signed China SCCs, together with the corresponding personal information impact assessment (“PIIA”, China’s version of the GDPR DPIA) completed by the organisation, with the local branch of the CAC.

The Measures will come into force on 1 June 2023, and organisations then have six months from this date to take these steps.

Who must put in place the China SCCs: personal information controllers that do not meet the thresholds for the CAC assessment/approval route, or the CAC certification for non-China personal information controllers, must follow this China SCCs route to legitimise their transfers of personal information outside of Mainland China.

By way of reminder:

• those organisations that must follow the CAC assessment/approval route are: (1) organisations designated as a Critical Information Infrastructure Operator; (2) organisations that export “important data”; (3) organisations that process personal information of more than one million individuals and intend to export some of it; or (4) personal information controllers that transfer overseas (i) personal information of more than 100,000 individuals in aggregate, or (ii) sensitive personal information of more than 10,000 individuals in aggregate, where “in aggregate” means in the period from 1 January of the preceding year; and
• non-China personal information controllers should instead follow the alternative CAC certification route (details not yet published).

Strictly personal information controllers that must follow the CAC assessment/approval route or the CAC certification route need not sign and file the China SCCs. Indeed, as noted below, the China SCCs are drafted assuming that the personal information controller is a Mainland China entity. That said, it would be sensible for such organisations nonetheless to sign the China SCCs with overseas recipients of China personal information as evidence of good practice, even if they don’t need to do so within the grace period or to file them.

China SCCs apply to C2C and C2P transfers: Unlike the GDPR, the SCCs do not differentiate between controller-to-controller or controller-to-processor transfers.

The obligation to sign and file the China SCCs is on the Chinese personal information controller. It appears that, in a C2C situation, both personal information controllers (assuming both are Chinese entities and are subject to the China SCCs route) have their own obligation to file the signed China SCCs (together with each of their independent PIIAs conducted for the transfer).

It is unclear from the Measures whether personal information processors must sign and file the China SCCs with their sub-processors. While we await guidance on this, it is advisable as a matter of good practice to flow down the China SCCs to those sub-processors.

China SCCs cannot be negotiated but can be added to: Similar to the GDPR SCCs, the China SCCs must be executed “as is”. This is good news for personal information controllers who will be seeking to sign the China SCCs with the big technology vendors, as it should expedite the signing process.

On the other hand, unlike the GDPR SCCs, organisations may negotiate additional (i.e., enhanced) terms with overseas data recipients, provided that these do not conflict with the China SCCs. However, in practice, we anticipate many data processors will be reluctant to sign terms over and above the China SCCs.

Filing practicalities: Organisations must submit a filing to the local CAC branch, including:

• the signed China SCCs – Chinese language; it is unclear whether bilingual versions will be accepted; and
• the corresponding PIIA,

within 10 business days of the China SCCs taking effect (i.e., from the signing or effective date of the China SCCs stated on the signed version).

So effectively a filing will be needed for each overseas transfer/recipient.

Details of the in person or online filing procedure have not yet been published.

It is unclear whether “any other agreements” related to the transfers must be filed. We had previously understood that just the signed China SCCs would need to be filed, meaning that including the China SCCs in a standalone supplement to the global DPA or underlying agreement would be sensible, to manage risks of disclosing additional or commercial terms unnecessarily to the CAC. It is unclear whether that approach is sustainable, or whether the CAC will expect the full agreement, or a partially redacted version of the full agreement, to be disclosed as well. We hope the CAC will publish guidance on this sooner rather than later, given the potential impact on confidentiality clauses and contract structuring.

Updated filing if transfers change: Unlike the CAC assessment/approval route, there is no time limit on the validity or legitimacy of the China SCCs once signed and filed. However, organisations must sign a supplemental or new set of China SCCs, and refile them with the local CAC branch with a refreshed PIIA, if there:

• is a change in purpose, scope, category, degree of sensitivity, method, storage location or term of the personal information transferred overseas; or
• is a change in the processing purpose or method of the personal information by the overseas recipient; or
• is a change in the personal information protection policies or regulations of the jurisdiction of the overseas recipient that may affect the rights and interests of personal information – effectively meaning organisations must monitor changes to overseas data protection laws, and undertake mini-TIAs within their PIIAs, to assess whether regulatory changes overseas might have such an effect; or
• other circumstances which may affect the rights and interests of data subject.

This effectively means active monitoring of processing activities, overseas recipients, and the laws in the jurisdictions they operate, is necessary. We anticipate many local and China data protection teams will need to add to existing resources or head count to incorporate this into their data protection compliance programmes.

China SCCs are not the only compliance steps: signing and filing the China SCCs alone do not legitimise the cross-border transfers of personal information. Do not forget:

• separate, explicit consent for the cross-border data transfer (on top of general consent to data processing and other separate consents for processing of (inter alia) sensitive personal information);
• undertaking a PIIA; and
• putting in place technical, organisational measures to ensure the data is processed to standards akin to China data protection laws (such as due diligence, ongoing vendor monitoring etc,).

The Measures specifically mentions the requirement for separate consent when transferring personal information overseas for processing activities which rely on the legal basis of consent. We await clarification from the CAC as to whether or not the separate consent requirement will be exempted for processing activities based on (the limited) alternative legal bases in the PIPL.

CAC assessment/approval route clarification:  For those organisations that have already considered whether or not they must follow the CAC assessment/approval route, the CAC has clarified that organisations may not seek to circumvent the CAC assessment route by falsely structuring the volume of personal information processed, splitting across multiple organisations or legal entities. Organisations that have not yet submitted their CAC assessment applications before the 1 March 2023 deadline are, therefore, strongly advised to reconsider their internal assessments as to whether or not they meet the relevant thresholds.

Next steps

Organisations must execute the China SCCs as a priority, or risk having to stop cross-border transfers of China personal information. We are creating a template China SCCs addendum for organisations to use, so please contact us for support.

Please contact Carolyn Bigg (Partner) if you have any questions or to see what this means for your organisation.

Are we seeing a return of proactive enforcement of Hong Kong’s data protection laws, after a lull in recent years?

On 14 November 2022, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published two investigation reports for non-compliance of the Personal Data (Privacy) Ordinance (“PDPO”):

• EC Healthcare’s failure to obtain consent for the use, disclosure, and transfer of patient’s personal data across its group entities; and
• Fotomax’s failure to take adequate security measures against a ransomware attack.

Following that, the PCPD served enforcement notices on both EC Healthcare and Fotomax, requiring them to take remedial steps and prevent the recurrence of contravening the PDPO.

Moving on – compliance priorities

The two investigation reports addressed both public facing aspects and internal operations of the businesses’ data protection compliance.

Notice and Consent

Businesses should focus on the external aspects of compliance, such as (i) providing adequate notice which details the use and purpose of data collection, and (ii) obtaining consent prior to the use, disclosure, and transfer of personal data – and obtaining fresh consent where new data processing purposes arise.

In particular, businesses operating multiple brands should take extra care when sharing personal data across its group entities.

Internal Security Measures

With a rise in cyberattacks, businesses should actively monitor and improve their internal security measures through:

• conducting regular risk assessments to understand the IT vulnerabilities and potential risk of data incidents;
• maintaining adequate technical and organisational security measures (e.g., de-identification and/or encryption of personal data, data access rights for staff on a need-to-know basis etc.) to mitigate the potential impact of data incidents;
• implementing a data privacy management programme which sets out key data protection governance responsibilities (e.g. appointment of Data Protection Officer(s)); and
• keeping records of internal communications and procedures to demonstrate compliance with the PDPO.

Enforcement Trends?

The publication of these investigation reports comes as a surprise within the Hong Kong data privacy landscape. Given the PCPD has in recent years taken a more ‘behind the scenes’ approach towards enforcement, this may indicate a more proactive phase for enforcement. Further, this may be a push by the Privacy Commissioner to encourage Hong Kong lawmakers to finally pass the remaining provisions of the PDPO Amendment Bill (i.e., mandatory breach notification and higher fines).

As such, businesses should bear in mind the multi-faceted compliance priorities (i.e. both external and inward facing obligations), as well as the reputational risks of non-compliance, given the publicity generated in investigation reports.

Indonesia’s long-awaited Personal Data Protection Law (“PDPL”) finally came into force on 17 October 2022, helpfully consolidating and clarifying the personal data protection framework in Indonesia.

Whilst there is a two-year transition period, businesses with Indonesian operations or which process the personal data of Indonesian citizens should now make compliance a priority.

The law is primarily consent-based. Key things to note include:

• Extra-territorial effect. The PDPL applies to all personal data processing activities of individuals, corporations, public bodies and international bodies:
  • • within Indonesia; or
    • outside of Indonesia, which: (i) has legal consequences in Indonesia, or (ii) affects Indonesian citizens located outside of Indonesia.
• Data Subject Rights. Under the PDPL these include the: (i) right to obtain details of data processing; (ii) right to correct or supplement personal data; (iii) right to access and obtain a copy of personal data; (iv) right to request deletion of personal data; (v) right to withdraw consent; (vi) right to refuse automated decision-making; (vii) right to restrict data processing; (viii) right to bring civil action for violation of the PDPL, and (ix) right to data portability. For some specific rights, businesses only have 72 hours to respond.
• Data Protection Impact Assessment. These are required where data processing involves a high potential risk to the data subject.
• Data Protection Officer (DPO). For certain data processing activities, data controllers and processors must appoint a DPO.
• Overseas Data Transfers. Data controllers transferring personal data outside of Indonesia must ensure that the recipient country has a level of data protection at least equal to that required under the PDPL. Otherwise, data controllers must ensure there is adequate data protection. If neither can be achieved, the data controller must obtain consent from the data subject for the overseas data transfer. It is anticipated that data localisation measures in certain industry sectors will remain, at least in the short term.
• Sanctions. These include written warnings, temporary suspension of personal data activities and deletion or destruction of personal data. Most notably, the PDPL introduces fines of up to 2% of the annual revenue of the data controller. In addition to these administrative sanctions, criminal sanctions include a prison sentence of up to six years and fines of up to Rp 6 billion (approximately USD 385,000) for the most serious offences.

The provision setting out significantly higher financial penalties for Singapore’s Personal Data Protection Act 2012 (“PDPA”) is now in force.

There is now an increased risk for organisations contravening the PDPA in Singapore.

This means that in relation to any intentional or negligent contravention of:

1. the data protection provisions, organisations may now have to pay a financial penalty of up to SGD 1 million or 10% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 10 million), whichever is higher;
2. the do-not-call provisions involving the use of dictionary attacks and address-harvesting software:
   • individuals may now have to pay a financial penalty of up to SGD 200,000; and
   • organisations, a financial penalty of up to SGD 1 million or 5% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 20 million).

To recap, when the Personal Data Protection Commission is deciding whether a financial penalty is warranted, they will, among other things:

1. assess the incident based on the principles of harm and culpability:
   • “Harm” includes the number of affected individuals, categories of affected personal data, duration of the incident etc.;
   • “Culpability” refers to the organisation’s conduct in the incident. The PDPC will consider the nature of the specific breach of the PDPA as well as the organisation’s overall compliance with the PDPA; and
2. consider other relevant factors such as whether the organisation or person took any action to mitigate the effects and consequences of the non-compliance.

Key takeaways

Given the higher financial penalties, organisations must:

• review their policies and practices for compliance with new provision;
• update employees about the increased penalties and the accompanying increased risk for the organisation.

You may access the revised financial penalties here, and the Advisory Guidelines on Enforcement of the Data Protection Provisions here.

You may access our previous alert regarding the increased financial penalties here.

Please contact Carolyn Bigg (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.