In recent years, the world has witnessed a profound change in awareness and in fundamental attitudes about privacy and data security. This has been driven by a number of factors such as digitization, economic globalization, increased individual awareness about data privacy, and recognition of the value of personal data as an economic asset. This has resulted in a spectrum of legal frameworks motivated by concerns about personal data privacy on one end, and the desire for an unrestricted flow of information in commerce on the other. The panel will lead a dialogue on the evolution of these changes in Asia.

The GDPR went into effect in the European Union (EU) in May of 2018, but its impact has reached far beyond the EU, affecting any organization anywhere in the world doing business in the EU, and global information infrastructure in general. This panel will lead a dialogue on whether and how countries in the APAC region have addressed GDPR in their own laws and regulations, and how APAC-based organizations have adjusted their privacy and data security practices in response to GDPR.

Each year, the International Programme features a detailed discussion of recent court decisions—mostly from the United States—on privacy, data security, and cross-border data transfer issues. This year the focus has shifted to regulatory enforcement actions, as European data protection authorities closed out their dockets under their old national laws and started enforcement under GDPR. One year in, the GDPR is already resulting in notable decisions providing guidance for practitioners, with sizeable fines in a few exemplar cases. Data protection authorities in the APAC region are flexing their regulatory muscle as well. Our panel of privacy and data security legal scholars will lead a dialogue on the most instructive cases from the past year.

Global data protection authorities will lead a dialogue on their respective enforcement priorities and advisory roles under global data protection regimes. The panel will also discuss how the regulatory enforcement and consultation structure impacts organizations. The dialogue will focus in particular on data transfer requirements and recent regulatory developments.

Internal investigations and cross-border regulatory investigations can present unique challenges to organizations seeking to comply with an array of global privacy laws, blocking statutes and data localization laws. The increasing regulatory complexity in APAC adds to the risk. Regulators are increasingly familiar with these challenges, but nonetheless require companies to meet their obligations to conduct fulsome investigations and produce relevant materials. A panel including in-house counsel from global corporations will lead a dialogue on practical approaches to effectively conduct internal investigations and comply with government inquiries, while nevertheless remaining in compliance with data protection laws.

We have several years of experience with different approaches to privacy and data security regulation world-wide. What strategies have been the most or least effective? What have been the measurable benefits or costs? What problems have been solved, what have become more severe, and what can we anticipate in the future? The panel will lead a dialogue on various legislative and regulatory approaches that have been taken with respect to privacy and data security, with a particular focus on APAC, and discuss the elements that might lead to a convergence of policies, or at least minimize conflict globally.

The Sedona Conference Commentary and Principles on Jurisdictional Conflicts Over Transfers of Personal Data Across Borders will be published for public comment in advance of the International Programme. This Commentary builds on the historic principles of “choice of law” and “law of the sea,” which resulted in treaties and norms of international commerce in the 19th and 20th centuries. The Commentary proposes extension of well-established principles of international law to the field of cross-border transfers of personal data. Through the use of a number of hypothetical scenarios, the panel will utilize the six basic Principles and related analysis, and lead a dialogue with the Programme attendees to ensure that the final publication incorporates consideration of the legal culture and practical realities of digital commerce in the APAC region.

In recent years there have been countless country-specific data protection laws and regulations enacted that dictate requirements for handling potential data breach response and notification. This panel will lead a dialogue on how companies are managing often differing and competing notification requirements, particularly as related to notice timing and the definition of a breach in various jurisdictions. In order to determine when an incident rises to the level of a legally defined breach, companies face numerous questions regarding the type of data involved, the security surrounding the system involved, and how the data may or may not have been accessed or further used. The panel will also address the current state and potential future state of data breach notification in the APAC region, discussing enforcement trends and regulatory collaboration across jurisdictions.