Asian data privacy laws seen through the cases of National ID numbers, big data, and RTBF (10/30/2019 Stanford CISAC Asian Data Governance Workshop)

by | Nov 12, 2019 | Open Blog, Privacy | 0 comments

  Out of 26 countries (excluding MENA and Central Asia), only 13 have significant data privacy laws.  Only 6 have comprehensive laws (Japan, Korea, Philippines, Taiwan +HK & Macau)  and 6 (India, Singapore, Malaysia, China, Vietnam, Indonesia) laws covering only private/e-commerce, and 2 (Nepal, Thai) have laws covering only the public sector.

  Three themes flowing through the Asian region are as follows:

  • Development : data seen as basis for economic growth
  • State paternalism : security/privacy standards often dictated by the government
  • Urgency for Democratization (not democracy but democratization) or sustaining it: the upward pressure from the civil society for more transparency and mutual monitoring, and checks and balances.

These themes will appear as we discuss three instances of data governance:

  • National ID numbers
  • Big data (or secondary use of personal data)
  • RTBF

National ID numbers

  Unlike other countries with national ID numbers, Asian countries’ policies are punctuated by strong desires to use them for development & other paternalistic reasons such as surveillance and welfare.  Not much efforts are made to limit the so-called “function creep”.

  For instance, Korea resident registration numbers (RRNs) suffer from “paradox of trust” whereby more and more agencies and companies flock to the supposedly trustworthy national identification system, increasing the number of silos and the value of successful data thefts, thereby in the end decreasing the trustworthiness of the system.  This is why limiting “function creep” is important but the Korean government has not done this very well because of efficiency concerns.  The most recent attempt to ban collection of RRNs still left about 1,000 exceptions.  Also, it authorized only a small number of alternative id verification methods (i.e., mobile phones) resulting in the monopoly of telecoms in a id verification industry.

  Japan (like Germany) did not have a single number system but in 2013 began My number law but under strict “function creep” restrictions. India began a biometric national id system but the Supreme Court in Puttaswamy showed strong caution against adding essential functions such as welfare.

Big data – secondary uses of personal data

  GDPR allows ‘compatible’ secondary use although pseudonymization is almost always required.

  Asian laws also allow this margin of secondary use using various expressions ranging from “no incompatiable (Macau)”, “compatible (+ legitimate interest)(Philippine)”, “reasonably expected (Singapore)”, “duly related (Japan)”, “directly related (HK, Malaysia(for use, no limitation))”, “in conformity with (Taiwan)”, “within the scope (Korea)”, “purpose announced (Vietnam)”, and “collection purpose (India)”.

  In 2015-6, Japan created the concept of “anonymization-processed data” which is made not identifiable not by science but by access rules, which can be used outside that margin.

  In 2016, Korea tried to do the same with “de-identified data” but failed to win a majority and is now trying again with GDPR-anonymized data but the debate is now on whether pseudonymized data can be used for research purposes by


  Tension between free expression & privacy is obvious but aggravated in Asia by absence of derogation for freedom of speech in data protection laws as in GDPR (only “news media” exception) while there remain pressures for resolving social and historical disputes still requiring more data to be made available (e.g., comfort women).

  It is not clear whether RTBF is covered by existing data privacy laws.  However,

Korea & Japan’s societies and judiciaries have shown high awareness of the free speech harms of RTBF (as seen in Korea’s 2016 Supreme Court decision on faculty personal data case like Spickmich case of Germany, and Japan’s successive court decisions denying RTBF).

Relevantly, Singapore, India, and Malaysia’s data protection laws have exception for publicly available information. Indonesia recently passed a new RTBF law which is being heavily criticized.  Hong Kong’s DPA is being heavily criticized for shutting down the Do No Evil app which aggregated financial information of public officials and corporate officers for civic monitoring purposes.


Submit a Comment

Your email address will not be published. Required fields are marked *