Summary of Discussion

The Leading Global Developments in Digitalization, Governance, and Privacy: Implications and Impacts for Asia

Pamela Graham Dixon

Executive Director, World Privacy Forum, NGO

As more and more governments create and enforce data privacy laws, an ecosystem of knowledge is formed, making it not just about data and the privacy of individuals but also how much entire ecosystems intersect and interact with each other. The Ecosystems Theory is useful in understanding the nature of current models of governance, specifically its scale, capacity, limits, and correlations. One example is the Estonia Digital ID ecosystem, which encompasses the Estonia Digital ID, professional certificates, driver’s licenses, MicroID (vehicle data ecosystem), social media platforms, and National Biometric ID. Groups of data are entangled in such ecosystems. Therefore, new governance models must include the management of ecosystem complexity in the new and constantly growing environment.

Data Platform based on MyData and Data Trust as a Governance System

Jongsoo Jay Yoon

Attorney, Lee&Ko, Korea

The right to data portability, or the right of the data subject to obtain and reuse their data across different services, is a right enforced by the GDPR and the Personal Information Protection Act in Korea. The MyData Model offers legal and technical services that maximize both the collective benefits of personal data and the distribution of benefits to data subjects. Along with this model, Data Trust functions as a fiduciary that manages subjects' information on their behalf. These models can be a solution to issues such as the infringement of the data controller’s interest and cybersecurity concerns related to data portability. However, limitations and challenges exist, including the lack of information and competence of data subjects, difficulty in post-control after consent, and the need for change in the data subject's perception. Building a governance system based on ethical legitimacy and mutual trust is key. The possible answer is MyData Platform with Data Trust, which can be a governance system as a fair agreement model.

Privacy Governance in MNC

Jae-Suk Yun

CPO, ASML, Korea

ASML manufactures lithography machines, which are an essential component in chip manufacturing. They have the vision of being a connection hub and business partner for the stakeholders and empowering responsible executives to be accountable for making educated privacyrelated decisions. Within the global privacy team, there are two layers. One is the privacy office, which mainly defines the privacy framework and key controls, advises businesses on data protectionrelated risks, and more. The second layer is the privacy network composed of champions that devote more time to privacy itself, with the main duties including supporting and facilitating compliance with applicable Privacy Regulations within respective organizations, and raising questions. Additionally, there are four main privacy protective measures: personal data breach (enabling instant reporting to authorities), privacy concerns, privacy assessments (determining the privacy risk level of a project and identifying privacy risks), and privacy requests. To be transparent and mitigate privacy risks, we should undergo gap assessments on similarities and differences in compliance with applicable L&Rs. This should also be adhered to by trusting employees and partners for continual growth.

Promoting Interoperability through the Global CBPR Forum

Greg Briscoe

Minister Counselor for Commercial Affairs at the U.S. Embassy, USA

As countries around the world continue to pass new data privacy laws, we need a framework that addresses regulatory fragmentation, facilitates multilateral cooperation, and is globally scalable. The Cross-Border Privacy Rules (CBPR) privacy certification system is a voluntary, enforceable certification that companies can join to demonstrate compliance with internationally recognized data privacy protections. Developed by APEC, the Global CBPR Forum has been joined by many economies including the United States, Canada, Japan, Korea, the Philippines, Singapore, Chinese Taipei, and more. The CBPR will bridge gaps between differing national privacy laws and ensure that baseline common protections travel alongside data across jurisdictions. Broader global participation in the CBPR System will strengthen economic and trade relationships and become an important building block for digital trade, interoperability, and consumer trust.

Blockchain-based DID: Self-Sovereign Identity

Sang-Mi Chai (Ewha Womans University, Korea)

Self-sovereign identity (SSI) is an identity management system that allows individuals to fully own and manage their digital identity. In an SSI system, users have independent existences, and their digital identities can be used across services with the individual in control of their identity information. The technical implementation of SSI requires verifiable credentials, decentralized identifier documents (DID), and blockchain technology. When users receive verifiable credentials from issuers (such as a known university), they store it in a distributed ledger through blockchain technology and present it to verifiers (such as employees) whenever needed. Decentralized identity is important because users should be able to choose which data to share with other parties, and trust that their data is not sold to other parties without consent.

Japan’s Position with Respect to the GDPR, Mutual Adequacy Decision, and the Close Relationship Between the EU and Japan

Junichi Ishii

APEC, DESG Data Privacy Subgroup Chair, Japan

In 2015, Japan’s data protection focused Act on the Protection of Personal Information recognized the APEC CBPR system as one of three major transfer tools for cross-border transfer of personal data. Based on the APEC CBPR system, Japanese companies can transfer personal data to CBPRcertified APEC participating economies or become CBPR-certified and transfer to foreign companies provided that the receiving companies are only processing data on behalf of the certified company. Another transfer tool is the designation of a foreign country or region. For example, Japan is in a mutual adequacy decision relationship with the EU. However, in keeping equivalence with the GDPR’s privacy rules, Japan has made supplementary rules where in the case of onward transfer of personal data from Japan to a foreign country, safeguards must be implemented, though this excludes the APEC CDPR system. The current CBPR system does not make it possible for data to flow from the EU without restrictions. A goal of Japan’s PPC and the Global CBPR Forum would be to try and make a truly global framework where we could appropriate and improve global requirements for international data flow.

Global Developments in Children’s Online Privacy

Francis Zhang

Deputy Director, Singapore

As children around the world now spend substantial amounts of time online and disclose a vast degree of personal data in the process, there is increasing pressure on governments to address privacy concerns and safeguard children’s personal data. Selected developments in the AsiaPacific, the European Union, the United Kingdom, and the United States indicate the importance of children’s privacy online. Australia included comprehensive and more robust privacy protections as requirements in its Online Privacy codes 2021; South Korea raised the age of protection from under 14 to under 19 and introduced the Right to be Forgotten for the first time under the South Korean privacy framework through the upcoming Children and Youth Personal information Protection Act; China’s Personal Information Protection Law of November 2021 and Indonesia’s Personal Data Protection Bill of September 2022 stipulate that the data of children under 14 is sensitive, so users of such data must conduct impact assessments and obtain parental consent. Singapore will introduce the Code of Practice for Online Safety which states guidance to protect young users from harmful content and unwanted interaction. The EU, the UK, and the US adopt policies to ensure a high level of privacy, safety, and security of children online.

Internet of Things (IoT): Prospective and Emerging Issues on Personal Data Protection in Malaysia

Cheryl Barr Kumarakulasinghe

Director of Enforcement, Malaysia

Internet of Things (IoT) is increasingly penetrating the Malaysian market, and with the 4th Industrial Revolution there is vast potential for IoT to provide enhanced services and capabilities. However, with the increasing number of smart devices and connections come risks, specifically those concerning consumer data protection. Due to the unique governance challenges of IoT, there is a need to develop specific policies and legislation to address these risks. This mixed-methods research explores the status quo of IoT and personal data protection in Malaysia that includes the existing regulatory frameworks, consumers’ perspective on IoT and personal data protection, and key challenges and implementation. This research is expected to provide guidance on creating a more holistic IoT and personal data protection environment in Malaysia.

Data Privacy: How Cooperatives Protect Their Data Online

Jonathan Rudolph Ragsag

DataSecurity Office, Philippines

Cyber security is concerned with anything that involves ICT, communications technology, data privacy, and personal information (a subset of the total information set). In the case of the Philippines’ data privacy, this presentation will shed light on the importance of security measures that uphold the rights of and data privacy principles. The National Privacy Commission has issued a Security Advisory 17-01 on the appointment of the Data Protection Officer; thus, government and private organizations now need to appoint their own data protection officers who analyze security risks and conduct security assessments. The Data Privacy Act (DPA) of 2012 of the Philippines has limitations when it comes to addressing the problems caused by the rapid development of ICT. This illustrates the need to revise the DPA or to introduce a new law to tackle such problems.

Recent Developments in Privacy Laws in Vietnam

Eunjung Han

Attorney, Rouse, Vietnam

Vietnam's goal to implement a digital transformation program was launched in 2020, aiming to develop a digital government, digital economy, and digital society all while fostering local digital businesses and equipping them with global capacity. A main pillar of this program is updating outdated legal instruments like the Telco, e-transactions, and IT laws, which is happening right now. Vietnam’s privacy law framework is currently undergoing great change with efforts being made to bring local regulations in line with international standards. While relevant provisions are currently spread across different laws, Vietnam is preparing to issue its first omnibus privacy legislation – the Personal Data Protection Decree (PDP). The PDPD is still in draft form and under the final stages of government review. Its purpose would be to control the way information is handled and to grant legal rights to data subjects. The presentation will elaborate on such legal developments as well as discuss Vietnam-specific regulatory focuses and implications.

Data Protection Act 2021, Sri Lanka; A Comparative Analysis of Law in Selected Asian Countries

Prathiba Mahanamahewa

University of Colombo, Sri Lanka

The presentation discusses the most important law in Asian countries, which is intended to facilitate and invite investments from the West (particularly the European Union) by protecting business entities and personal information; this has become one of the burning issues in the contemporary world. The presentation further compares and critically analyzes the data protection laws in South Asian countries and highlights the main features of the recently introduced and comprehensive 2021 Data Protection Act of Sri Lanka. The EU data privacy directives and GDPR requirements with heavy penalties for data breaches are incorporated in this Act. Finally, the introduction of common data privacy directives such as those of the EU will be recommended for SAARC countries.

Data Protection and Privacy Issues in Immersive Technology

Josh Lee Kok Thong

Managing Director (APAC), Future of Privacy Forum, NGO

As the metaverse and virtual reality (VR) becomes more of a reality, and as companies tap into its commercial promise, the importance of protecting personal data becomes ever more crucial. During a mere 20-minute session of VR use, approximately 2 million data points and a unique recording of one’s body language are collected. During immersive experiences, the sensitive information of a person’s attention and subconscious senses are generated. In extended reality experiences, the experience can be indicated by the synchronous and persistent aspect of technologies, and this raises ethical and privacy-related challenges for those we encounter within the technologies. Unfortunately, the global picture of data protection is not entirely concentrated, but in the extended reality, digital indirections are a complex engagement in terms of data protection rules and jurisdictions. Thus, the clarity of the potential risks of the solution will only grow, urging the industry, regulators, and academia to come together. Collaboration will be needed to make sure virtual realities become not the Wild Wild West but a space of innovation.

Critical Review for the AI regulations: seeing through the IRUDA case

Beop Yeon Kim

Korea University, Korea

The occurrence of privacy issues in various Artificial Intelligence (AI) technologies and services led to an increase in demands for related ethical and legal control. Meanwhile, the European Union (EU) established the "Proposal for a Regulation Laying Down Harmonized Rules on Artificial Intelligence: Artificial Intelligence Act" in April 2021. The effectiveness of the EU's legislation - whether it can control the risk of AI and minimize personal information or privacy violations – is considered through this presentation. As a method to do so, the EU's legislative proposal is applied to AI related cases that occurred in both Korea and abroad, and it is affirmed whether regulatory legislative measures for AI would be effective. The result of the review states that even if legal controls on subjects such as developing, producing, and servicing AI are established, it is difficult to control all risks that AI can create. Furthermore, since the scope of AI is wide, the paper suggests the necessity of managing its risks via separate regulatory legislation suitable for each field, and cultivating user/expert ethics for AI users, developers, and operators.

Regulatory Compliance in the Global Game Industry

Eui Won Park

CPO, NCSOFT, Korea

Gaming is one of today’s most global services where billions of people around the world play and communicate on platforms regardless of age, race, gender, or region. NCSOFT is a leading company in the global game industry, and its purpose is to provide the best products to users and connect them their online platforms. However, data regulation in countries like Russia, Vietnam, and others in Asia become huge challenges in providing services to users. The main pillar of the regulation is that the personal information of users must be stored in their own countries, meaning that the service provider must establish both a cloud and server there. This is a challenging process as it requires both a huge budget and substantial time resources. NCSOFT respects the regulations that each country has for protecting its citizens, but it is true that such regulations play as hurdles for us to provide services in certain regions. NCSOFT believes that the Cross Border Privacy Rules (CBPR) will be able to act as a positive alternative to overcome these barriers. Thus, NCSOFT is trying to use CBPR to provide its services to CBPR member countries; it is in the process of being certified with the CBPR and expects that the certification will be granted early 2023.

Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy

Beomsoo Kim

Barun ICT Research Center, Korea

In September 2022, Google and Meta were fined over $72 million USD for collecting personal data and sharing it with third parties. The grounds for this penalty from the Personal Information Protection Commission (PIPC) was that the data was illegally collected, which is also the position of the Korean government. One basis for the judgment of the PIPC was that Google treated users differently according to their nationalities when they created a Google account. The Korean government and the PIPC found that Google was not forthcoming with information from Korean users who created an account. Specifically, Google obscured the “more options” feature, which the users need to check as they create an account. If this information is hidden, the risks of misunderstanding and having communication problems increase. In this sense, Google should work on reasonable policies. Another set of issues that the PIPC raised was the “scroll-box” implemented in Facebook. In order to capture all the details of Meta’s privacy practice in that format, one was forced to go through a small checkbox and scroll down to read all the many details. This is not the first time that Google and Meta hid information deliberately. Thus, the role of law enforcement agencies to implement more vigilant policies on privacy related acts and regulations is of great importance.