APAC TMC Update - June 2021

China

China

China’s market regulator issues Anti-monopoly Guide for Platform Economy Sector

On 7 February 2021, the State Administration for Market Regulation (SAMR) issued the finalised Anti-monopoly Guideline for the Platform Economy Sector. This Guideline follows the draft Guideline, which was issued on 10 November 2020 and is the first piece of anti-monopoly related legislation that specifically targets the TMC sector.

Among other directives, the Guideline provides detailed guidance on preventing and restraining monopolistic conduct in the platform economies sphere. The Guideline also sets out several typical violation behaviours under the anti-monopoly agreements chapter, such as when operators collect or exchange sensitive business information (e.g. prices or sales volume) to manipulate the market, boycott transactions, fix prices or limit new products and services; and when operators fix resale prices or minimum resale prices through manipulating data and algorithms. The Guidelines also target the use of big-data algorithms to provide differentiated prices and conditions to consumers and traders, which is currently the typical conduct of tech giants in the Chinese market. In addition, in the chapter on concentration of operators, the guideline indicates that the concentration of variable interest entity (VIE) operators also falls within the scope of a merger-control review. This is the first official confirmation that the VIE structure is subject to merger-control review.

When the draft Guideline was issued in November 2020, the industry considered it a reaction to the boom in the online platform economy and launched a huge push back during the opinion-solicitation period. Compared to the draft, the final version contains a balanced approach such as listing potential justifications for some seemingly anti-competitive behaviour. Platform operators in China should pay attention to this Guideline in their compliance work.

Draft regulation emphasises App distributors’ data protection obligations

The Ministry of Industry and Information Technology published the draft Interim Regulations on Personal Data Protection in Mobile Applications to solicit public comments until 25 May 2021. The draft sets out the data protection obligations for mobile application developers, operators, distributors, third-party service suppliers, intelligent device manufacturers and network access service providers. The requirements are tailor-made for data processing activities via mobile applications.

In particular, the draft introduces special obligations for the operators of application distribution platforms (e.g. Apple Store or Android markets), such as the requirement to register and verify the true identity of the developer and operator of an application; prominently display on a platform the data processing rules and the user authorisation required for the use of an application; carry out data compliance checks on the operation of an application before publishing it on a platform; design credit systems, risk lists and other mechanisms to record and reflect the data protection compliance status of application operators; and establish convenient channels to receive user complains about the applications published on platform.

Please click here for the full text (Chinese only) of the draft.

Draft regulation proposes new requirements on data collected in cars

The Cyberspace Administration of China published a draft regulation to solicit public comments until 11 June 2021. The draft regulates the processing of personal data and important data by operators during their design, manufacturing, sales, maintenance and management of cars in China.

Important data in the context of this draft include data on the flow of people and vehicles in important and sensitive areas (e.g. military management zones, offices of government agencies at or above the county level), surveying and mapping data with an accuracy level higher than the publicly distributed maps, operating data of a car's electric charging networks; data on vehicle types and vehicle flow on roads; and out-car audio and video data including faces, voices, license plates, etc.

In addition to complying with the general personal data protection requirements, operators must process personal data and important data in cars, unless it is necessary to provide services to the data subjects and the out-car processing has been consented to by them. Personal data and important data collected via cars must be stored within China and can only be transferred to a foreign country after passing the required security assessments. If an operator processes personal data of more than 100,000 individual or processes important data, it must file a report describing its processing activities to the regulator on an annual basis.

Please click here for the full text (Chinese only) of the draft.

China publishes Data Security Law

China published the PRC Data Security Law, which will take effect from 1 September 2021. The law mainly includes high-level principles rather than detailed implementation rules. While the scope of the law is broad and covers all types of data, the regulatory focus is on non-personal data.

The law emphasises again that the state must establish a data-classification system, based on the importance of data in economic and social development, and the harm to national security, public interests, or the legitimate rights and interests of individuals and organisations once data is tampered with, destroyed, leaked, or illegally obtained or used. Different technical and organisational measures should be implemented to protect data from falling into different classes. Administrative authorities must formulate the data classification catalogues within their respective jurisdiction. However, it still remains unclear when the catalogues will be published or how data will be classified in them.

Regarding cross-border transfer of data, critical information infrastructure (CII) operators should continue to follow data localisation requirements under the PRC Cybersecurity Law. As for non-CII operators, the law provides that their cross-border transfer of important data must follow administrative measures formulated by the relevant authorities. However, the law does not define the scope of important data nor does it indicate what regulatory approaches the to-be-formulated measures must adopt.

Please click here for the full text (Chinese only) of the law.

Hong Kong

Legislative Counsel publishes discussion paper on proposed amendments to Personal Data (Privacy) Ordinance (Cap 486)

Following last year’s discussion on various proposed amendments to the Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”), on 17 May 2021 the Legislative Council Panel on Constitutional Affairs published another discussion paper setting out more details on the proposed amendments, particularly in relation to the following aspects:

  1. Adding an offence to curb doxing acts – the proposed new doxxing provisions not only protect the data subject, but also offer protection to the subject's immediate family members, and the proposed level of penalty for this new offence includes an indictment, a fine of HKD 1 million and imprisonment for five years, or on summary conviction, a fine of HKD 1 million and imprisonment for two years.

  2. Empower the Commissioner to carry out a criminal investigation and prosecution for doxxing acts – under the current Ordinance, the Privacy Commissioner for Personal Data (PCPD) is required to refer cases to the Police and the Department of Justice for criminal investigation and consideration of prosecution PCPD if there are reasonable grounds to pursue these cases. The proposed amendments to the Ordinance will have new provisions empowering the Commissioner to carry out a criminal investigation and prosecution for offences relating to doxxing acts under the Ordinance.

  3. Confer on the Commissioner statutory powers to demand the rectification of doxxing contents – the proposed amendments also include new provisions to empower the PCPD to serve a Rectification Notice to any person for rectification actions when it has reasonable grounds to believe that an offence relating to doxxing has been or is being committed, and within a designated timeframe. The Rectification Notice can be sent to any person who provides services in Hong Kong to Hong Kong residents in order to direct the relevant online platform to rectify the doxxing content.

India

New controversial laws regulating media intermediaries came into effect on 26 May 2021

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021) came into effect on 26 May 2021 following a three-month timeline on 25 February 2021 for social media platforms to comply.

The IT Rules 2021 imposes due diligence requirements on various intermediaries - where the term ‘intermediary” is widely defined under the Indian Information Technology Act 2000 to be, with respect to any particular electronic message means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message.  Some of these requirements include:

  • prominently publishing on its website or mobile based application, the rules and regulations, privacy policy and user agreement for access or usage of its computer resource;

  • putting in place terms restricting certain types of content such as those that are patently false, misleading, or contrary to the laws of India; and
    removing content notified to be in violation of any law within 36 hours of a court or government order.

The IT Rules 2021 also imposes certain additional due diligence requirements for specific types of intermediaries, such as social media intermediaries and significant social media intermediaries, aiming at improving the accountability of these intermediaries.. For example, a significant social media intermediary (i.e.a social media intermediary with users above a specified threshold of five million registered users) must also appoint a Chief Compliance Officer responsible for ensuring compliance with the IT Rules 2021 and a Resident Grievance Officer, responsible for the grievance redressal mechanism function. Both such officers must reside in India.

The notification on 25 February 2021 for the IT Rules 2021 can be downloaded on the Ministry of Electronics & Information Technology’s website here.

Indonesia

Deadline extended for registration of private electronic systems operators to 2 January 2022

The Ministry of Communication and Informatics (MOCI) enacted MOCI Regulation No. 10 of 2021, which extends the deadline for the registration requirements for private electronic system operators (ESOs) imposed under the MOCI Regulation No. 5 of 2020 on Private Electronic System Operators (MOCI Regulation 5/2020).

Under MOCI Regulation 5/2020, before private electronic systems can be used, registration is required through the online single submission system by private ESOs that own portals, websites or applications that are used to:

  • facilitate, manage or offer goods/services;

  • facilitate, manage or operate financial services transactions;

  • transmit paid-for digital materials using a data network, by downloading from a portal or site, sending via e-mail, or via other applications, to a user’s device;

  • provide, manage or operate communications services, including short messages, voice calls, video calls, e-mail, etc. on digital platforms, including social media;

  • provide a search engine service or act as an information provider; or

  • process personal data for operational activities for the public in relation to electronic transactions.

This registration requirement was initially supposed to take effect at the end of May 2021, six months after the enforcement of MOCI Regulation 5/2020. Under MOCI Regulation No. 10 of 2021, the registration deadline will be extended to 2 January 2022, six months after the implementation of a new licensing system, which is estimated to be rolled out on 2 July 2021. During this grace period, operation of electronic systems without the requisite registration is still valid.

Thailand

Personal Data Protection Act Enforcement postponed to 1 June 2022

On 8 May 2021, the Thai government published an amendment to Royal Decree Establishing Organisations and Businesses that the Data Controllers are Exempted from the Applicability of the PDPA B.E. 2562 B.E. 2563 (2020) (Royal Decree) to postpone the full enforcement of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) until 1 June 2022.

The postponement of the full enforcement of the PDPA was initiated as a response to the ongoing third wave of the COVID-19 pandemic in Thailand, with entities such as the Federation of Thai Industries and the Thai Chamber of Commerce voicing concerns that the implementation of the PDPA will place a strain on businesses that are trying to mitigate the effects of the pandemic.

While the supplementary regulations have not yet been formally issued, they have been drafted and are pending approval. Similar to the key principles of the PDPA, the Thai government has announced that the supplementary regulations will be guided by the principles in the EU’s General Data Protection Regulation (GDPR).

Vietnam

Penalties increased for advertising violations

On 1 June 2021, Decree No. 38/2021/ND-CP on Penalties for Administrative Violations in Culture and Advertising (Decree No. 38) took effect to increase the fines applicable to administrative violations pertaining to culture and advertising. Decree No. 38 replaces Decree No. 158/2013/ND-CP and Decree No. 28/2017/ND-CP.

Among other things, penalties for the following acts, which previously ranged from VND 40 to 50 million (USD 1,741 to 2,175), were increased to a range of VND 50 to 70 million (USD 2,175 to USD 3,058):

  •  Advertising tobacco;

  • Advertising wine with 15% alcohol content and above;

  • Advertising milk for babies under 24 months of age as substitutes for breast milk; dietary supplements for children under six months of age; baby bottles and artificial nipples;

  • Advertising prescription drugs; over-the-counter drugs that are recommended by the competent authorities for limited use or under supervision of a physician; and

  • Advertising other goods and services banned from advertising.

  • Additionally, under Decree No. 38:      

  • The maximum fines for administration violations arising from cultural activities is VND 50 million (USD 2,175) in the case of individuals, and VND 100 million (USD 4,350) in the case of organisations.

Examples of these violations include cinematography-related violations, such as violations against filmmaking regulations and film release regulations; violations involving performing arts activities, such as violations against regulations on performing arts, performing arts contests, festivals; and violations involving the organisation of festivals, trading of karaoke services, discotheque services, cultural activities and community cultural services.

The maximum fines for administration violations arising from advertising activities is VND 100 million (USD 4,350) in the case of individuals, and VND 200 million (USD 8,700) in the case of organisations. Examples include violations against regulations on the advertising of products, goods and services; violations against regulations on advertising speech and writing; and violations against regulations on advertising on electronic newspapers and websites.

A report by the online newspaper of the Vietnamese government on Decree No. 38 can be found here.