LexisNexis Practical Guidance®

Businesses operating in Asia, or who engage service providers with operations in Asia, need to be across the potential regulatory impacts in force in other jurisdictions that could apply. This subtopic takes a closer look at Indonesia, China, Malaysia and Singapore each of which have or are in the process of introducing new, cybersecurity-specific legislation.

The Asia-Pacific region is incredibly diverse and this diversity is reflected in the levels of cyber sophistication to be found throughout the region. The region has some of the most cyber-sophisticated countries according to the Global Cybersecurity Index 2017 (GCI) — Singapore, for example, was ranked number 1 out of 193 countries. The GCI measures regulatory commitment to cybersecurity and is produced by the United Nations International Telecommunication Union.

In September 2018, 10 Association of Southeast Asian Nations (ASEAN) nations announced that they would create a framework for cooperation on cybersecurity. The framework will focus on greater regulatory cooperation and on the introduction of more comprehensive cybersecurity laws.

Indonesia, China, Malaysia and Singapore’s new laws all have one thing in common — they all implement measures to protect Critical Information Infrastructure (CII). The meaning of this term differs between jurisdictions, but it can be anything from healthcare to transport to financial services. In all jurisdictions, entities that operate CII will be subject to more onerous requirements than other organisations and individuals.

As well as insight into the regulation of CII, this subtopic provides practical tips about:

• • Developments in Indonesia, including the establishment of a new cyber agency under direct presidential control;
• See Understanding the regulatory framework in Indonesia.
• • China’s new cybersecurity law, which introduces new responsibilities for a huge variety of organisations, including multinational corporations. In a complex regulatory landscape, lawyers and their clients are urged to keep a close eye on the interpretation and implementation of cybersecurity laws in China;
• See Understanding the regulatory framework in China.
• • Malaysia’s new cybersecurity law, yet to commence, and Malaysia’s current regulation of cybersecurity and personal data, including who regulates it. Malaysia is well placed to enforce its new law, with a single agency dedicated to cybersecurity, a government committed to overcoming cybersecurity issues and a well-established record on personal data protection;
• See Understanding the regulatory framework in Malaysia.
• • Singapore’s new cybersecurity Bill and how it relates to Singapore’s strong existing legislation on cybersecurity and data protection, as well as the practical application of Singapore’s existing personal data protection acts;
• See Understanding the regulatory framework in Singapore.

The opportunities presented by cloud computing make this technology one of the most important IT developments in recent years, with both the private and public spheres increasing their uptake of cloud services. Workplace environment transformations, increased collaboration, shared or remote workspaces, and flexible work arrangements, have all encouraged the proliferation of cloud computing.

The Australian Signals Directorate (ASD), adopting the definition developed by the National Institute of Standards and Technology (NIST), defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

But with increased opportunity there is also corresponding risk. The shift to cloud computing raises issues and risks regarding:

• • the collection;
• • storage; and
• • handling,

of personal information. Purchasers and consumers of cloud computing products and services must have a firm understanding of these issues and risks and their legal implications.

With that in mind, the purpose of this subtopic is to:

• • alert current and prospective cloud computing users to data security and contracting issues that may arise in connection with cloud computing;
• • provide an overview of the application of privacy and data protection laws to storing, processing and accessing information within a cloud environment;
• • highlight cross border data transfer and supply chain risks; and
• • outline some of the key data security standards relevant to cloud computing.

Handing over personal data at work is an activity that most people accept is just a normal part of their job.

But for employers, and their lawyers, it is crucial to be aware of the rules regulating employee data, especially if employers are operating in more than one jurisdiction. As it will become apparent in this guidance note, different jurisdictions take very different approaches to regulating employee data which can cause confusion and may result in unnecessary penalties.

There are many questions that different data protection laws have attempted to answer worldwide. For example, when a jobseeker completes an online application, or hands over their CV, are they relinquishing ownership of that personal information? Do they need to provide consent if their prospective employer, or employer, wants to use it? When an employee sends an email, can their employer read it or use its meta data? For what purpose? What about employees’ web browsing history on their work laptops? Can employers send their employees’ data to another country?

This guidance note provides practical guidance on how different jurisdictions regulate the protection of employee data. Often, employee data is not distinguished from personal data in the way it is regulated. The regulation of personal data is covered specifically in Understanding personal data, but is also covered here to the extent it is relevant to employee data.

In this subtopic, you will learn about:

• • the regulation of employee data in Australia, Asia, and Europe;
• • what specific employee data is protected under each regulatory framework (see Protecting employee data);
• • how employers are allowed to handle their employees’ data, including whether they can transfer it across borders (see Cross-border transfers of employee data));
• • whether in certain jurisdictions, a distinction is made legally between “personal data” and “employee data”; and
• • instances where employers have failed to comply with employee data protection laws and the repercussions of non-compliance (see Understanding employee data privacy obligations in Europe).