In 2009 New Zealand, Hong Kong, Taiwan, South Korea, Japan and Macau enacted data privacy and data protection laws. Since then they have been joined by India and Malaysia, but just as important, South Korea and Taiwan have made major changes to expand and strengthen their laws.
Australia and Hong Kong are in the process of so doing and New Zealand has made significant changes in order to obtain an ‘adequacy’ rating from the EU.
Any person or entity storing or processing personal data is potentially subject to investigation and enforcement action by local regulators under these increasingly strict legal regimes. Additionally, they may face significant fines and defence costs in the event of a data breach, regardless of whether any third party suffers a loss or chooses to take legal action.
The cross border reach of many data protection regimes, coupled with an increasing tendency towards international outsourcing of data processing services, means that few businesses can be confident that their systems and processes are not subject to regulation and enforcement by overseas authorities.
Further, even in countries with no specified data protection or data privacy law or regulator, businesses may find their data processing activities increasingly subject to scrutiny under local criminal law and other regulatory requirements, which may be markedly stringent