Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 6
6
Hogan Lovells
2024 in Review:
A Look Ahead at 2025
2024 was another year of rapid change to the
data, privacy and cybersecurity regulatory
landscape in the Asia-Pacific (APAC) region.
The brisk pace of development has clearly
become the norm. Since GDPR became the
benchmark for data protection regulation
internationally in 2018, the significant uplift
to European standards is gradually making its
way across the region. APAC jurisdictions with
longer histories of data protection regulation
have been upgrading their laws by
cherry-picking from GDPR, with innovations
such as data breach notification obligations and
revenue-based fines becoming typical across
the region. At the same time, jurisdictions with
no history of data protection regulation at all
have been taking GDPR as their template,
confirming that it has become the inevitable
reference point for laws in the area. The
difference now is that many regional data
protection authorities have gained experience
with GDPR-inspired concepts and have made
them their own, raising compliance
expectations along the way. However, we see a
pause (or perhaps even a reversal) of the trend
to adopt ever-more stringent privacy
compliance requirements inspired by GDPR,
now that both the data protection regimes in
APAC and the authorities tasked with on-theground implementation begin to mature. With
time, we see regulators taking a more pragmatic
approach and even dialling back some of the
requirements, in the face of the economic
downturn and the challenges local businesses
face in practice to achieve compliance.
Case in point are the challenges faced by
organisations dealing with China’s cross-border
data transfer restrictions. The Cyberspace
Administration of China (CAC) launched its
security assessment procedure late in 2022,
followed by the introduction of standard
contractual clauses and personal information
privacy assessment guidelines in 2023.
Organisations have generally found the process
to be extremely challenging, with a lengthy
security assessment questionnaire requiring
organisations to provide the authorities with
detailed – and in some cases very sensitive
– technical information about the data
processing environment supporting the
transfer, both in mainland China and abroad.
Official data indicates that successful
applications have been few in number,
prompting the CAC to roll out measures by
relaxing the restrictions and clarifying the
thresholds triggering transfer requirements
of different levels, would create a number of
exemptions for various types of data transfer.
It is clear that data transfer regulatory policy in
China is struggling to achieve a balance
between, on the one hand, a vision of
comprehensive “cyber sovereignty” considered
necessary to Chinese national security and, on
the other hand, a business environment that is
supportive of foreign investment. China’s
approach to cross-border data transfer
regulation is already having its influence, with
Vietnam launching a similar review procedure
in the summer of 2023, which was met with
similar resistance.
The other key variable is that a growing number
of APAC jurisdictions are coming to focus on
cybersecurity and national security concerns,
with the effect that the underlying policy
applicable to data protection regulation may
differ from the GDPR.
For example, we see China introducing a raft of
new laws and regulations to prescribe
further requirements on network and data
security, categorising and defining data of
