Asia Privacy Newsbites

Here is a round-up of some recent privacy news around the region:

Hong Kong Privacy Commissioner publishes leaflet on outsourcing to data processors 

In Hong Kong, the Privacy Commissioner published a leaflet on outsourcing the processing of personal data to data processors. The leaflet contains guidance about what the Privacy Commissioner thinks a data user (i.e a data controller) should do when it trusts a data processor in processing personal data. Crucial reading for all service providers.

Hong Kong Privacy Commissioner publishes leaflet on new offence

Staying in Hong Kong, some of the sections in the Personal Data (Privacy) (Amendment) Ordinance 2012 come into force on 1 October 2012. One of those sections is a new offence (section 64) which imposes fines (up to HK$1,000,000 i.e. about USD128,000) AND imprisonment for 5 years for unauthorised disclosures of personal data obtained without consent from the data user. The Privacy Commissioner also published a leaflet on the new offence, with a few examples of what might be caught by the new offence. The examples track some recent instances of personal data of celebrities being used without their permission (e.g. Edison Chen and the infamous uploading by a computer repairman of photos of him and other celebrities in various intimate positions).

Singapore comes closer to enacting Personal Data Protection Bill

The Singapore Personal Data Protection Bill (which introduces general data protection rights and obligations and also a do-not-call regime) was introduced into Singapore Parliament on September 10, 2012. This is the first reading. Subsequently, there will be a debate in the Singapore Parliament on the Bill. Following the debate, the Bill will be read a second time, and then a third time before it is passed into law. Although it will be passed into law, it is expected that the data protection provisions in the Personal Data Protection Act (when passed) will only come into effect after 18 months from the date of enactment of the Act. The do-not-call regime in the Act is expected to come into effect 12 months from the date of enactment of the Act (as the do-not-call registry is estimated to become operational only after 12 months from the date of enactment of the Act).

New Zealand's EU Data Protection Directive adequacy decision is coming up in October

The Article 31 committee is deciding on the adequacy of New Zealand data protection laws after the Article 29 Working Party (made up of national data protection commissioners) gave a favourable opinion of the adequacy of the laws. The Article 31 committee is likely to release its opinion in October 2012 (as reported by Data Guidance). After that, the European Parliament will have 30 days to scrutinise the opinion, and then the EU Commissioners will decide to adopt the adequacy decision. This is significant for New Zealand as it would mean that organisations can rest easier in transferring personal data from an EU member state to New Zealand (a non-EU member state) as the organisation would rely on the adequacy determination. If successful (and it is likely that it will be), New Zealand will be the first country in the Asia Pacific region to have gained that recognition of general adequacy (as opposed to findings of adequacy in a specific area e.g. the processing of Passenger Name Records in the case of Australia).



For those wondering about the absence of posts, I have been quite busy. Work, family and a few other matters have been occupying my time (including writing an article ... which hopefully I will be able to provide a link to when or if it gets published). A number of balls up in the air, and now that I am typing this out, it feels good to be back.