Directing the Changing Landscape of Global Data Governance

The APPI, or Act on the Protection of Personal Information, amendments include stringent rules for cross-border transfers, mandatory reports to authorities and data subjects in cases of breaches of sensitive data, the extension of the right to request disclosure, pseudonymised data, the implementation of strong penalties, and other stipulations.

FREMONT, CA: In the year 2022, the updated APPI, or Act on the Protection of Personal Information, was implemented. The amendments include stringent rules for cross-border transfers, mandatory reports to authorities and data subjects in cases of breaches of sensitive data, the extension of the right to request disclosure, pseudonymised data, the implementation of substantial penalties, and other stipulations.

The APPI was carried out as a method of raising awareness and sensitivity on privacy among people around the world, who were experiencing a boost in cyberattacks which has affected people’s privacy, and the increase in data use across borders because of the steadfast employment of modern information technologies, like cloud technologies. One of the most prominent new mandates is the necessity for companies to report data breaches, which pushes organisations to adopt more advanced security measures.

As the demand for privacy protection rises in APAC countries, recently, there has been a boost in the enactment and revision of privacy laws, which also includes the enactment of Thailand’s Personal Data Protection Act in 2019, China’s Personal Information Protection Law and the Data Security Law in 2021, and Indonesia’s Personal Data Protection Act in 2022. Additionally, the Personal Data Protection Bill is being discussed in India and Vietnam.

At the same time, the rising data localisation proposals threaten to displace data protection priorities. For example, Decree 53, concerning the Cybersecurity Law of Vietnam, which was implemented in October 2022, and the Korean and Indonesian guidelines concerning public systems provide obligations to store specific types of data domestically. Although cross-border data flows are permitted, any type of data localisation necessities could potentially limit the use of good cybersecurity practices, for which strong consensus is still present for it around the world.

In 2023, the world’s biggest economies agree as to the contents of ‘appropriate’ or ‘reasonable’ security for data. The standard cybersecurity technologies and practices are present in the ENISA state-of-the-art guidelines, the U.S. Executive Order on Improving the Nation’s Cybersecurity, and the latest guidelines from the New York State Department of Financial Services in line with APPI security requirements.

In the presence of this consensus, it is also important to view renewed traction as the concept is outlined by data free flow with trust (DFFT), which was proposed by the former Japanese Prime Minister Shinzo Abe. DFFT, as a concept, promotes the international free flow of data, which is useful to solve business and social problems, while also ascertaining trust in security, privacy, and intellectual property. The aim is to create a global digital environment that allows for the movement of data across international borders while also assuring that after crossing the border, the data is then provided with the required protection and oversight.