Country Specific APAC Data Privacy Changes Impacting Recruitment Firms

1. Australia

While  Notifiable Data Breach (“NDB”) scheme (mandatory reporting of eligible data breach) which commenced after 22 February 2018, generally only applies to businesses with a turnover of more than $3M, recruitment agencies are the exception to the rule and every recruitment firm in Australia must comply, because even small firms hold enough valuable private data to be a concern.

The Office of the Australian Information Commissioner (“OAIC”) must be informed within 30 days of there being enough grounds to believe that an eligible breach has occurred, except for minor ones which can be remediated beforehand.

2. China

China issued the Cybersecurity Law and New China Data Privacy Standards in 2018 to provide a data privacy regime in Chine. Since then, enforcement has been taken against illegal sharing and sale of personal information, which had previously been a prevalent practice in the Chinese recruitment market.

Detailed local implementation rules of the Cybersecurity Law will soon be issued to provide full guidance on processing, local storage and cross-border transfers of personal information. It is anticipated that after the release of the guidelines, Chinese regulators will start focusing on compliance with data localisation (ie storing Chinese candidate data exclusively on Chinese based servers) and heavily regulating the cross-border transfer (which could include viewing of data remotely) of personal information outside China. Chinese authorities may require an assessment and certification process to be followed, whereby before Chinese candidate is view by overseas offices, the relevant Chinese Government agency assesses the need for the data to be transferred and if satisfied issues a permit, which may contain certain conditions around stringent security on the recipients end.

3. India and Indonesia

India (Personal Data Protection Bill) and Indonesia (Data Protection Law) are in the process of overhauling their data privacy protection law, respectively. Both are being patterned after the stringent EU General Data Protection Regulation (“GDPR”). Each country aims to improve the manner and circumstances in which personal data may be lawfully transferred outside their territory.

With their overhauled data privacy  laws, recruitment agencies are expected to (a) assess the risks that it create for others in processing their data: candidates, clients, and employees (b) mitigate the risks that it creates for others in processing their data: safeguarding, training, and data cleansing, and (c) be able to demonstrate the steps taken. Documentation is very important in this assessment and mitigation process.

4. Japan

The Personal Information Protection Commission (“PPC”) amended the guidelines on the Act on Protection of Personal Information last January 2019 to impose restrictions on the transfer of personal data overseas, including view of candidate data between different country offices of recruitment firms.

Transfers of personal data to third countries are allowed only, if there is a legal basis for the processing/transfer and the the third country has the same level of data privacy protection as that of Japan. The PPC and European Commission find an adequate level of protection by both sides simultaneously on January 2019. Other countries in the Asia Pacific have not yet been granted this status.

5. Malaysia

The implementation of the data breach notification mechanism in Malaysia has been delayed and it remains unclear when it will be effective. However, the authorities remain active in making sure that companies are complying with the Personal Data Protection Act. In 2018, a recruitment agency was charged with processing personal data without a valid certificate of registration issued by the Personal Data Protection Commissioner. The PDPA provides that certain classes of data users must be registered and issued with a valid certificate of registration by the Commissioner. In the event of conviction, a fine of up to RM 500,000, or imprisonment of its officer(s) for up to 3 years, or both will be imposed.

6. Philippines

In May 2018, Philippine companies that handle personal data of European citizens have been required to follow European standards in line with the GDPR implementation. The Data Protection Act is closely modelled after the GDPR and the Philippine authorities have quickly focused on enforcement of compliance.

In September 2018, the National Privacy Commission (“NPC”) issued Circular No. 18-02 containing guidelines on the NPC’s conduct of compliance checks on data controllers and processors (including recruitment firms).

7. New Zealand

The new Privacy Bill is expected to be passed with a commencement date of March 2020. It will affect offshore activities including recruitment process outsourcing.

It is anticipated that enforcement priorities will relate to the recent recommendations made by the Select Committee’s on Privacy Bill which include:

  • mandatory data breach reporting;
  • extraterritorial enforcement of the Privacy Act by extending the Privacy Act to apply to activities of a NZ recruitment agency offshore and to offshore recruitment agencies using New Zealand personal data;
  • creation of new criminal offences; and
  • fines of up to NZD 10,000.

    8. Singapore

The increased breaches of the Personal Data Protection Act (PDPA) protection obligation (i.e., data breach incidents) called for revisions to the PDPA that are expected to take place by the end of 2019, including a mandatory data breach notification regime and additional obligations for processing for the collection, use and disclosure of personal data.

It is important to note that recruitment firms are subject to the PDPA, although there is a partial exclusion for recruitment firms from the Do Not Call Registry provisions. Furthermore, recruitment firms are able to rely upon the “evaluation exception” in the PDPA which enables them to avoid the recent restrictions implemented for the collection, use and disclosure of NRIC information. The only requirement would be for firms to update their privacy policy to provide notice to candidates that they were still collecting NRIC information because of the “evaluation exception”.

9. South Korea

The Korean government announced in 2018 that it would amend applicable laws and regulations to enhance the possibility of utilising personal information and protecting personal information through the introduction of the concept of anonymisation and pseudonymisation. Pseudonymization is a method to substitute identifiable data with a reversible, consistent value. Anonymisation is the destruction of the identifiable data. The move is seen as a further step to crack down on the use of personal data and recruitment firms may be forced to send anonymised candidate CVs.

10. Thailand
As the PDPA has been recently passed on February 2019, sub-regulations under the PDPA is expected to be issued within two years from the publication date. That said, many firms are starting to prepare now for the implementation.

Augment General Counsel makes no warranty of any kind with respect to the subject matter or the completeness or accuracy of this article. Augment General Counsel is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall we be liable for any damages resulting from reliance on or use of this information. This article is for general information purposes only and readers should take specific legal advice when dealing with specific situations.