Latest roundup in global data protection and privacy

Thailand PDPC publishes criteria for personal data deletion, destruction, and de-identification  On June 14, 2024, the Personal Data Protection Committee (PDPC) released a draft notification under the Personal Data Protection Act 2019 (PDPA), outlining the criteria for data controllers on how to delete, destroy, or de-identify personal data.  According to the PDPA, a data subject can request the deletion, destruction, or de-identification of their personal data under the following circumstances: 

• The data is no longer necessary for its original purpose. 
• The data subject withdraws consent, and no other lawful basis for processing exists. 
• The data subject objects to processing on legitimate interest grounds, and there are no overriding reasons to continue processing. 
• The data subject objects to processing for direct marketing purposes. 
• The data processing is unlawful. 

The draft mandates that data controllers respond to such requests immediately, and no later than 60 days. If immediate action is not possible, interim measures must be taken to restrict access and ensure data security.  In cases where de-identification or anonymisation is chosen over deletion or destruction, data controllers must: 

• Remove all direct identifiers (e.g., names, IDs, emails, biometric data). 
• Implement measures to ensure indirect identifiers cannot re-identify the data subject, reducing identification risk. 

De-identification or anonymisation is not allowed if the data subject requests erasure due to unlawful processing; in such cases, full deletion or destruction is required. The draft is open for public feedback until June 28, 2024, and may be revised before official publication.  In light of the PDPC's draft notification, affected companies should review and update their data protection policies to ensure compliance with the new requirements. They should begin to put in place clear processes for handling deletion, destruction, and de-identification requests, which will ensure timely responses within the stipulated 60-day period. 

G7 countries commit to joint cybersecurity framework for energy sector 

The G7 nations have agreed to establish a collective cybersecurity framework aimed at safeguarding operational technologies in the energy sector. This decision, announced at the recent summit in Italy, seeks to protect critical infrastructure such as electricity, oil, and natural gas systems from increasing cyber threats.  The National Security Advisor to the UN highlighted the urgent need for stronger cybersecurity measures as new digital clean energy technologies are integrated. The initiative was developed in direct response to frequent cyberattacks on energy systems worldwide, such as the notable Colonial Pipeline ransomware attack in the U.S.  The G7 leaders—comprising Italy, the US, the UK, Germany, France, Canada, and Japan—also discussed other critical cybersecurity issues, including ransomware, cyberattacks from specific nation states, and the establishment of a new G7 Cybersecurity Working Group. They committed to enhancing resilience and security within the energy sector and urged manufacturers to develop more secure products. To promote the creation of secure Internet of Things (IoT) products, the G7 will explore mutual recognition of cybersecurity schemes.  In support of this initiative, the U.S. Department of Energy has released a new set of Supply Chain Cybersecurity Principles. These principles, backed by major industry players such as GE Vernova, Schneider Electric, Hitachi Energy, Honeywell, Schweitzer Engineering Laboratories, Rockwell Automation, and Siemens, outline essential actions for achieving robust cybersecurity across global supply chains in energy automation and industrial control systems (ICS). They emphasise the shared responsibilities between suppliers and end-users to meet desired security outcomes.  In response to the G7's collective cybersecurity initiative, companies are encouraged to strengthen supply chain security, enhance critical infrastructure resilience, promote secure product development, and adopt comprehensive cybersecurity frameworks. Multi-stakeholder partnerships and regular cybersecurity training are also important steps to be considered by companies to improve cybersecurity and protect critical infrastructure. 

Hong Kong’s DPA publishes AI – Model Personal Data Protection Framework 

On June 11, 2024, Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) unveiled the "Artificial Intelligence: Model Personal Data Protection Framework." This non-binding framework offers practical recommendations and best practices for organisations procuring and implementing AI systems, ensuring compliance with the Personal Data Privacy Ordinance (PDPO).  The Model Framework emphasises ethical AI procurement, implementation, and usage. It encourages organisations to establish internal strategies and governance measures for AI solutions. Conducting risk assessments and managing AI risks with appropriate human oversight are crucial components. The framework also highlights the importance of preparing and managing data to ensure the security and integrity of AI systems. Moreover, it stresses the need for transparent communication with stakeholders to build trust in AI usage.  This new framework complements the PCPD's 2021 Guidance on Ethical AI Development, which promotes values such as respect, benefit, and fairness, along with principles like accountability, human oversight, transparency, data privacy, and reliability.  Comparing this with other jurisdictions, the European Union's AI Act classifies AI systems by risk level, requiring serious incidents to be reported to market authorities.

In contrast, Singapore's regulatory framework has a broader focus on general AI governance, while Hong Kong's framework is more centred on data protection.  For companies, the publication of this framework underscores the importance of developing a global AI strategy with comprehensive internal governance rules to understand and mitigate AI risks. Conducting internal data audits to assess the extent and use of AI in operations is also recommended to identify and mitigate risks effectively.  As a global B Corp organisation, HewardMills is ready to partner with and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team to discuss any of the topics or regulatory updates discussed.