Cross-border data protection needs less formal, bottom-up approach

THE Covid-19 crisis has accelerated the take-up of technology across many sectors, with more people working from home, ordering goods and products online, and streaming entertainment using cloud-based solutions. The future 5G mobile network, which promises a host of supercharged AI solutions, will accelerate the use of data transmissions, all of which are dependent on smooth and secure flow of personal data across borders.

Yet Asia, in particular, remains a patchwork of different laws governing the collection, use and transfer of that data, despite drawing on the same sources, like the OECD Privacy Guidelines, the APEC Privacy Framework and Europe's General Data Protection Regulation.

For instance, different rules apply in the regulation of cross-border data transfers in the Asia-Pacific. For example, transfers may be authorised or prohibited by default, subject to exceptions that vary. Some jurisdictions like China, India, Indonesia and Vietnam have, in some circumstances, imposed strict obligations to "localise" their citizens' data, citing digital-sovereignty and national-security concerns. Collecting individual consent is a default condition to transfer data overseas in some, not all jurisdictions. Consent may be understood differently. Not all compliance mechanisms that companies may use to transfer data as alternatives to consent are recognised in all jurisdictions.