May 9, 2023
An Exploration of Data Protection and Cybersecurity Developments in the Digital Economy Era : How China, India, Vietnam and Thailand are keeping up with digital evolution In today’s digital age, data protection and cybersecurity are becoming increasingly important world over. The Asian legal landscape, being no exception, is ushering in an enormous amount of change – with privacy laws anticipated, by the end of this year, to have grown by 25% since 2021. With the rise of technology, sensitive data is being collected and stored at an unprecedented rate, making it vulnerable to cyber-attacks. This is especially true in countries like China, India, Vietnam and Thailand that are experiencing rapid growth in their digital economies. Here, we shine a spotlight on these countries and explore the latest changes and upcoming amendments to their data protection and cybersecurity laws and regulations. China With the ever-accelerating growth of technology, comprehensive data protection and cybersecurity laws in China have become crucial. In recent years, the Chinese government has implemented a number of changes to its laws in order to protect citizens’ personal information and ensure that companies are compliant with international standards, such as the European Union’s General Data Protection Regulation (GDPR). These changes include new regulations on data collection, storage, usage and cross-border data transfers; increased penalties for violations; and improved enforcement mechanisms. In 2021, China enacted its comprehensive data protection “rulebook”, the Personal Information Protection Law (PIPL) which, while neither as prescriptive nor as detailed as the GDPR, imposes strict requirements on companies that collect and use personal information, and gives individuals greater control over their own data. For example,...
April 26, 2023
The interactive edition of the April 2023 issue of In-House Community (IHC) Magazine is now live (below). In this issue, we delve into updates on data protection and cybersecurity in the region. We consider recent developments in laws and regulations in China, India, Vietnam and Thailand, with valuable input from Debevoise & Plimpton and Tilleke & Gibbins. We further hear about cross-border data transfer in Indonesia after the introduction of its new law on personal data protection, covering both electronic and non-electronic forms of data (SSEK). We additionally garner insights on factors shaping data privacy and protection environments for businesses today, and what important questions boards should be asking to manage their risk (Praxonomy). In keeping with this digital theme, we take a look at the use of artificial intelligence in legal practice, including magic circle firm, Allen & Overy’s, introduction of Harvey. Our regular column updates for the issue include: A Q&A with a stalwart of the dispute resolution/arbitration field, Peter Godwin. He generously shares some insights on leading an auspicious career, being open to opportunities and embracing diversity. We also cover last month’s top deals, partner level moves, and latest legal industry news. For any feedback, Q&A opportunities, article or advert booking in our upcoming issues, please email me directly at...
January 13, 2023
The Office of the Personal Data Protection Committee (the “PDPA Committee”) published a draft regulation issued under the Personal Data Protection Act (2019) (the “PDPA”) relating to the cross-border transfer of personal data outside of Thailand (the “Draft Regulation”) on its website in September 2022.  Cross-Border Transfer of Personal Data under the Current Provisions of the PDPA According to Section 28 of the PDPA, a data controller can transfer personal data to a foreign country if the receiving country has in place adequate personal data protection measures that are in line with the adequacy criteria issued by the PDPA Committee. The PDPA Committee will announce a list of countries that have in place such personal data protection measures (the “Whitelist Countries”) later on. However, if the personal data is not transferred to any Whitelist Countries, the cross-border transfer can still be conducted if the exemptions under Section 28 apply.   Moreover, Section 29 (Paragraphs 1 and 2) of the PDPA provides an alternative method to transfer personal data to a foreign country. It states that the transfer of personal data is permitted within the same group of companies that have established binding corporate rules (the “BCR”) relating to data protection, which must be reviewed and certified by the PDPA Committee pursuant to the regulations issued by the PDPA Committee. If the company has certified BCR, Section 28 no longer applies to the transfer of such personal data.  Under Section 29 (Paragraph 3) of the PDPA, the cross-border transfer of personal data may be carried out in the absence of any Whitelist Countries or certified BCR if the transferor provides appropriate...
January 18, 2017
As of July 1, 2017, individuals and organizations will be entitled to institute a "private right of action" before the courts against those that contravene certain provisions of Canada's Anti-Spam Law ...