APAC Monthly TMC Update  – September 2020



Draft published to regulate commercial cryptography

The State Cryptography Administration published the Draft Regulations on Administration of Commercial Cryptography (Draft Regulations) and invited public comments on the Draft Regulations until 19 September 2020.

The Draft Regulations apply to the research, production, sales, service, testing, certification, import and export, and application of commercial cryptography within the territory of China. The term “commercial cryptography” refers to technologies, products and services that use specific transformation methods to encrypt and protect non-state secret information, and to perform security certification. The Draft Regulations also clarify the requirements of using commercial cryptography in electronic-authentication services.

In general, whilst voluntary, it is encouraged to submit commercial cryptographic products to qualified institutions for testing and certification. But for commercial cryptographic products that may affect national security, the national economy, people’s livelihoods, and social-public interest, the products will be listed in the Catalogue of Critical Network Equipment and Specialised Network Security Products and can be sold or provided only after they are tested and certified. If such products also have encryption functions, they will be included in the List of Commercial Cryptography that are subject to an import licence, and so cannot be imported into China without an import licence for dual-use items.

The operators of critical-information infrastructure (that do not involve state secrets), networks of a cybersecurity protection level of three or above, and national government information systems must use tested and certified commercial cryptographic products and services and commercial cryptographic technologies listed in the Guidance Catalogue of Commercial Cryptographic Technology.

Please click here for the full text (Chinese only) of the Draft Regulations.

Draft opinions strengthen trade secret protection

The Ministry of Justice published the Draft Guiding Opinions on Strengthening the Protection of Trade Secrets and Confidential Business Information in Administrative Licensing Processes and invites public comments until 30 September 2020.

When applying for administrative licences with government authorities, an applicant must clearly identify what information disclosed to the authorities are confidential, and cannot treat all application materials (i.e. those not qualified to be protected) as confidential information under the applicable confidentiality laws.

Government authorities must obey the principle of necessity and must not collect excessive confidential information. They must also take necessary technical and organisational measures to protect the confidential information received. It is also necessary to implement a full life-cycle approach to all-aspects of management of information mediums or carriers, file classification and archiving, and only access control on a need-to-know basis. It is prohibited to set the disclosure or use confidential information as a condition for granting administrative licences, or directly or indirectly require applicants to disclose confidential information during the review of applications. No confidential information can be disclosed or published without the relevant applicant’s consent, except when required by law or for the protection of national security or the public interest.

When entrusting a third-party agency to assess application materials or results, a confidentiality agreement must be signed between the disclosing authority and the agency. No confidential information can be disclosed to an agency who has a competitive relationship with the relevant applicants or has an economic interest in the assessment results. Applicants are granted the right to apply for administrative reconsiderations if they believe the authorities have infringed any of their confidential information.

Please click here for the full text (Chinese only) of the Draft Guiding Opinions.

Hong Kong 

Report on artificial intelligence in banking in Hong Kong

The Hong Kong Institute for Monetary and Financial Research (HKIMR) and the Hong Kong Monetary Authority (HKMA) released a report on 21 August 2020 entitled “Artificial Intelligence in Banking: The Changing Landscape in Compliance and Supervision”, which can be accessed here.

The report aims to assess the current status of AI adoption in the Hong Kong banking industry and its implications for banking compliance and supervision. Edmond Lau, Deputy Chairman of the HKIMR, hopes this report serves as a “starting point” towards a wider understanding of the implications of AI applications for the banking industry in Hong Kong.

The report is split into four parts:

  • Part 1 assesses the current status of AI adoption in the Hong Kong banking industry based on an industry-wide survey conducted by the HKMA, which indicates that banks in Hong Kong are optimistic about using AI and have adopted AI in all key functional areas with the most commonly used AI applications being risk-management tools such as anti-money laundering, cybersecurity and know-your-customer due diligence.
  • Part 2 provides useful insights about the risk-management framework for AI-utilising banks, including a data governance framework focusing on data quality and security to mitigate the risk of data breaches, and an enhanced model-risk management framework to validate model outcomes. One interesting finding is that banks are moving from a traditional piecemeal approach for cyber threats to a structured or risk-based approach of strengthening cyber-defence systems.
  • Part 3 elaborates the three principles regulators use to guide the supervision of AI adoption in banking: maintaining financial stability, consumer protection and nurturing innovation.
  • Part 4 explores the potential of AI in Regtech and Suptech applications, and the role of policymakers in fostering AI development in banking. Currently, use of AI in Regtech is limited to regulatory reporting and fraud detection.

In summary, the increased use of AI in banks should secure gains in efficiency and competitiveness. The role of policymakers will be to facilitate public-private co-operation and promote transparency between experts and the public.

Please click here for more details.


Data breach decisions against Singapore’s Central Depository and 7 others

On 3 August 2020, the Singapore Personal Data Protection Commission (PDPC) published a total of eight decisions. While five were warnings, three of the decisions included financial penalties. All eight decisions were for breach of the “protection” principle under the Personal Data Protection Act (PDPA), which is by far the most common principle breached in Singapore and accounts for more than two-thirds of the breaches that are published as decisions by the PDPC. In addition, the decision against the Singapore Central Depository (CDP) is notable for the steep financial penalty of SGD 32,000.

Many of the scenarios in which breaches occurred include common business activities for many organisations, such as: data collected on websites accessible to the public due to a lack of vulnerability scanning; unauthorised access to customer information from customer portals due to use of weak username and password protocols; the accidental public sharing of data intended for local networks only; leaks of personal data collected through websites due to inadequate privacy and security specifications provided to the web developer; and dividends sent to the old addresses of recipients due to a narrow testing scope during software migration exercises.

The PDPC decisions can be found here.

New data centres: Zoom in Singapore, Tik Tok in Ireland

On 18 August 2020, video conferencing app Zoom Video Communications opened a new data centre in Singapore with the help of Singapore’s Economic Development Board. Zoom joins many technology giants with data centres in Singapore, such as Facebook, Amazon Web Services, Google Cloud, and Microsoft Azure, which opened or expanded their data centres as early as 2018. This is part of a growing trend of expansion of data centres in Southeast Asia, which saw Alibaba opening data centres in Indonesia in 2019. Asian players are also setting up data centres in other regions – TikTok announced in early August 2020 that it plans to build a data centre in Ireland for its European users.

New Zealand

New Zealand Privacy Commissioner probes distribution of COVID-19 personal data

On 5 August 2020, the New Zealand Privacy Commissioner announced that he will make inquiries into the distribution of COVID-19 patient details by the Ministry of Health. This follows an earlier investigation completed in July 2020 by the State Service Commission (led by Michael Heron QC) after the revelation surfaced that the names, addresses and locations of 18 people in quarantine that tested positive for COVID-19 had been released. The Privacy Commissioner will investigate what further actions, if any, are appropriate under the Privacy Act, and will specifically look at the data flow to the Ministry of Health and the police. He has announced that he intends to publicly report on the findings and recommendations in early September, after a draft report has been considered by the Ministry and the police.

The official media release from the New Zealand Privacy Commissioner can be found here.


Proposal to regulate non-personal data in India

On 12 July 2020, A Committee of Experts on Non-Personal Data Governance Framework (appointed by India's Ministry of Electronics and Information Technology) published a report summarising their findings. The eight-member expert committee was tasked with studying issues relating to non-personal data and to make specific suggestions on regulations for consideration by the Indian government. The background to the forming of this committee was India's acknowledgement of the scale of the global digital transformation through the proliferation of big data, analytics and AI, and the danger posed by the possibility of global data monopolies in India as the second-most populous country with the second-largest population of smartphone users in the world. The report covers the following topics: trends in data availability, its socio-economic impact, and the case for regulating data; definition of non-personal data, sub-categories of public, community and private data; discussion on ownership of data, including rights over non-personal data; recommended mechanisms for data sharing; potential roles for a non-personal data authority; and technology-related guidelines for digitally implementing recommended rules and regulations around data sharing.

The US-India Business Council (USIBC) has already published a statement on this report, stating that it is “categorically opposed to mandates that require the sharing of proprietary data” and that imposing data sharing to promote competition will undermine investments made by companies to process and collect such information. The report was open for public comments until 13 September 2020.

The Committee’s official report can be found here. The USIBC official statement can be found here.