The Data Diva E169 - Kar Hong Wong and Debbie Reynolds

Show Notes

Debbie Reynolds, “The Data Diva” talks to Kar Wong, Founder and Chief Consulting Officer at Young Technology Consulting (Singapore). We discuss privacy laws in Asia, including the history of data protection laws in Singapore, Malaysia, and the Philippines. We also compared data protection laws in Asia to those in Europe and the US, noting that while there are some differences, there are more similarities than differences. We also discuss the differences in consent prioritization between Asian countries and Europe, with consent often a higher priority in Asian countries. We also touch on the complexities of data localization and its impact on sensitive data and international trade.

We also discuss the challenges of enforcing data privacy laws and the penalties for sending data without government approval, particularly in China. We expressed concern about the impact of strained relationships between countries on cross-border trade involving data transfer. We also delve into AI governance and its impact on privacy risks, highlighting the need for privacy professionals to reassess their data and processes to avoid regulatory issues. We also discuss the future of privacy and technology, emphasizing the importance of privacy and how technology can help protect it.

Overall, the episode highlights the challenges and nuances of privacy laws in Asia, including differences in consent prioritization and data localization. We also discuss the challenges of enforcing data privacy laws and the impact of AI governance on privacy risks. The conversation emphasized the need for continued innovation in privacy and technology to protect privacy in the future.  

Support the Show.

Transcript

34:17

SUMMARY KEYWORDS

data, privacy, singapore, country, localization, ai, china, law, asia, data protection law, company, years, government, technology, data protection, regulation, concern, organization, called, enforce

SPEAKERS

Kar Wong, Debbie Reynolds

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a very special guest on the show all the way from Singapore. Kar Wong is the Founder and Chief Consulting Officer at Young Technology Consulting. He is someone who's had very deep experience in the technology space. And so I welcome him to the show. Thank you.

Kar Wong  00:52

Thank you very much, Debbie. Thank you for having me on the show.

Debbie Reynolds  00:57

Yeah, well, I'm happy that we were able to connect and have you on the show. I look back at my notes. I think I asked you to be on the show a couple of years ago; glad that we're able to connect this year to have you on the show. Tell me a little bit about your background, your trajectory, and how you moved through your career and got into privacy.

Kar Wong  01:19

I formerly was an IT person for more than 30 years; I studied computer science at the University of Pennsylvania. When I graduated and went to Singapore, I worked for the Central Government and the National Computer Board for 10 years. I was sent by the government to study computer science in the United States because we were trying to computerize the civil service in Singapore in the early 70s and the 80s. So when I finished my so-called scholarship, I spent roughly eight or nine years working for the government; I moved on to China, worked for Ericsson as the IT manager, and then subsequently went back to Singapore and put on some projects. And I eventually went back to China; once you're in China, you love China; it is a very interesting place and project, and everything moves very fast. And it's on a very large scale. So the second time I went back to China, I initially worked for a tire company, one of the largest tire local tire manufacturers in China, and the year plus and moved on to InterContinental Hotels as the Director for the Greater China region. Subsequently, I came back to Singapore when my kids needed to come back to study in Singapore because we were Singaporean. About five years ago, I started my own company in Data Privacy, primarily doing consulting, and we do quite a fair bit of training. Also, we are an authorized training partner of IAPP in Singapore.

Debbie Reynolds  02:54

Yeah, that's amazing. So, what is it about privacy that made you want to move from the more technical IT field into privacy,

Kar Wong  03:06

When they first knew this thing about privacy and data protection, the very last company I worked for was a company that provides software for hotels, primarily in Asia, with roughly 2000 hotel customers of the company I used to work for. So one day around the year 2017, we had this request from our main customers, the Marriot, the Hilton, the IHG, their core offering to us and say, hey, let's make sure that your software is GDPR compliant. All right. So my boss basically just came to me and said, look, I don't know why this is GDPR, but make sure we are compliant. And I was like, why is GDPR a nuisance? Okay, so, that was how I got into understanding there's something called GDPR that at that time was like, oh, policies, alright. So, we started taking into it; then I started to realize that in the digital economy, this data is very important in any business transaction, especially a lot of cross border transactions. Now, we in the hotel industry, and then we got into this, I have to get to make sure that our company, the product was amended enough to be so-called GDPR compliant, for example, to be able to easily see to a data subject access request, that kind of requirement. That's how we started to get a better understanding subsequently, I realized that it is an area in which it is not just GDPR. Many other countries also have a law, including Singapore. In Singapore, we have a law enacted in the year 2012. And it came into force in 2014. Several years before GDPR, you just had no policy to pay any attention at all, to be frank, and your authority wasn't very active in enforcing it in the early days. No, nothing changed. After 2018, after GDPR came into force, and to be frank, a lot more aware of it, and authorities become a lot more active in enforcing it. And I've seen many, many more countries have already enacted the law process, or some of them already started enforcing them. So this is a very interesting thing to get into, and it is very closely related to it mostly because of the top I'm really in the digital database these days.

Debbie Reynolds  05:32

Yeah, wow, that's great. Oh, wow. Well, that story is true. So, I'm a data person. And so it closely aligns with my work in data and digital transformation because I help companies either implement or create and develop tools to handle data. So whenever you're doing that, and also, when you're doing in a cross-border fashion, you have to know what the different laws and regulations are so that you don't run afoul of those regulations. Talk a little bit about just Asia; in general, the point you made is very well taken. So, I think when GDPR came out, it made privacy and data protection more of a C-suite issue. It brought more attention to data protection regulations. But Asia has been very mature is very mature, in my view, on data protection. So, like you said, Singapore had a law, and it's been out for quite some time. The Philippines had a law, I mean, a lot of laws; when we think about that, maybe people don't even know about or pass data protection in Asia in different countries between 1995 and 2016. There are a lot of laws that are already existing there. But I think that GDPR overshadows a lot because of the fines. So, I think if GDPR didn't have fines in that law, we probably wouldn't even be talking about it right now. That's the thing. I think that got people's attention. And that's the thing that's gotten people really interested. I'm glad people are interested in data protection. You know, I feel like it's an area that definitely caught my interest. But I think the world is really interested there. But tell me about data protection laws in Singapore and different countries in Asia.

Kar Wong  07:32

Yes, you actually do have the data protection law already enacted in some Asian countries. For the EU, GDPR came about; for example, Hong Kong was really one of the early years countries in ASEAN. ASEAN is actually Malaysia; Malaysia law came into force about 2010, and the first country in ASEAN 10, followed by Singapore and the Philippines; we have a law in the year 2012, and it came into force around 2014. Of course, in 2016, GDPR came in until 2018, when it was starting to be enforced. And after that other countries start to pick up soon in Asia. Today, we had Thailand 2019 enacted the law, but they delayed the implementation until the first of June 2022 because of COVID-19. So, in the years 2020 and 21. They said they could implement it. So the solid delay until 2022, the first of June, and following that, we have China. China's action was pretty fast; they have the law. So, pass around the 20th of October 2021. By the first of November 2021, it had already started to be enforced. After that we have Indonesia 2022, you should come into enforcement. We'll start around October 2024. And just earlier this year with Vietnam, and then just about a couple of months ago was India. So this is what is primarily happening in this part of the world, Asia and also Southeast Asia; we still have a handful of countries in Southeast Asia, and we love the data protection law. These are primarily within the country and repeat behind like Myanmar having its own big difficulty there. We have Cambodia and Laos, which don't have data protection laws yet. Brunei is in the process. They are already thinking about this. Of course, Japan is quite early; the only difference, I will say, is that it is a different country. First of all very differently. Some are more active, some kind of passive, and also our law. Interestingly, in many countries in Asia, the data potential doesn't apply to the government, which is very different from, for example, GDPR. The government, which is pretty common here, that they don't have in the government, our day competition law doesn't apply to the government in many countries, including Singapore. Yeah,

Debbie Reynolds  10:05

Right. I guess it's in the US is similar.

Kar Wong  10:10

I thought that the US, at this moment, does not have a Federal level law, yet HRPA is one of the more comprehensive in the sense. And then we have courses a CPRA and post Virginia or how you have their State law.

Debbie Reynolds  10:23

The US is very complicated. People who don't know anything about data protection in Asia only know about the US or Europe. What are some differences that you see between like, for example, GDPR and some of the files that are being passed by Singapore and other countries in Asia?

Kar Wong  10:48

Sometimes I'm asked this question by people and say, look, you're operating in Asia, there are so many countries in Asia, and each of them has data protection law, and there is a conflict or inconsistency between this law if I'm a company that operates in seven countries in Asia, so how do I go about doing my data protection programs? For example? My answer, generally, is this: actually, if you look at the data protection law of another country, there are more similarities than differences and hardly any so-called conflict, I would say. And I will say that most of them started with the following information processing principle many years ago, studying ascending and descending falls by department of Health, Education, and Welfare in the USA, and then you will evolve in OECD guidelines. And I will say that GDPR, when you were on, structured, and described the various parts of the law, they have these seven principles under the GDPR. They have six Giga bases for processing personal data; they are the eight data subject rights right. Okay. And you can actually find all this pretty much in all the law in Asia, whether it's China, whether it's Singapore, whether it's Malaysia, the basic principle one is the legal basis of processing like concern, which determines interest, contractual obligation, public interest. The basic principle of accountability, transfer limitation whenever the data and data can get out of the country border, is a sensitive issue. Some countries may not have a definition of sensitive data, like Singapore does know, though we were so caught having this guideline by the authorities say, well, health records, biometrics, and financial data is an important sensitive data. We also have data subjects or data subjects, right? Not all countries have all eight data subject rights for somebody in Singapore for each of the EU GDPR; for example, we do not have a data subject right called the rights to be for content. Okay. So we don't have that government granted me in 2010 to amend the law and content right to have data portability. Actually, I would prefer to be for content and portability. Never mind, so this is a slight difference. But on the whole, they are not inconsistent. I'll show you the major differences, all coming primarily in the area of fines and penalties, administrative fines, whether they are civil liability, and in some countries, they may also have criminal liability under circumstances where they are seen to have to intentionally use the data they have in their hands. So for example, filing they have similar liability. China, of course, has criminalized Singapore; we do not have criminal liability; we are pretty much like you, GDPR the organizations, which are called the data controllers or data processors; they are the ones that know both sides need to be fine. I mean, should be fine, and correct corrective orders by the authority here in most countries like that. Right.

Debbie Reynolds  14:02

Perfect. That's amazing, and thank you for doing that. You actually mentioned a couple of things that I want to talk about a little bit more deeply, actually. These are the differences that I noticed; I have worked with companies or organizations or HR for, I'm embarrassed to say how long, it's been a long time. But there are a couple of themes that you mentioned that I want to talk about a little bit more. One is consent. So consent is a legal basis, also in Europe and in different jurisdictions in different ways. The one thing that I noticed about consent is that, for example, the GDPR consent is a legal basis, but consent is considered the last resort; you should try to use all the other five first before you get to consent right, where I feel like a lot of Asian countries consent is very high. It's higher on the list than then here. So tell me a little bit about that. Consent

Kar Wong  15:11

It's high on the list. Yeah. We have DPOs who didn't even know that there's other legal basis they are just always talking about consent.

Debbie Reynolds  15:22

Yeah, tell me about that difference, about consent having a higher priority.

Kar Wong  15:30

We are pretty consent-centric, okay? It is only in the year 2020. November, when we amended our law a bit and made it clearer that they are the other bigger bases of legitimate interest, cultural application of concern is something there's really no saying formula is easy to understand and easy to get. Now, there's one really important concept. When it comes to consent, the sponsor must be given freely. Right, you have the notifying specifiy? Well, I think in practice, when the implementation itself is not there, it's really not that necessarily specific; sometimes, in many cases, as in some casual in some coalition from time to time, we, in many parts of this part of the world, people are less, quite more willing to part with our personal data in the sense of my name, address, telephone number, email, all those things. For some incentive, I'm the one who doesn't mind you; someone comes to me and says, would you mind if I have a name, email address, and phone number? Why oh, so that I can send you an email and offer you some discount voucher, all of this. So we share that. Alright, so, and I get upset if I do that. So it happens. So we do have a very different, sometimes a different cultural background, history background, things like, obviously, you see, the EU GDPR emphasized a lot on the freedom human rights thing, I think has to do with the historical background to what happened over there. Over here are some in the EU GDPR sensitive data that doesn't even include finances, which is a big surprise to us in Asia; money is very important to us. Okay. So anytime we lose money, we lose our critical number and bank, we are more worried about losing our perhaps as a health record, maybe about biometric data. So, to us, our sensitive data, primarily financial records, is certainly one of them. But so these are the these are the some some differences. Okay.

Debbie Reynolds  17:32

And then another one, this is a big one that I'd really love your thoughts on, and that is data localization. So, I noticed that countries in Asia tend to move towards data localization and data protection laws. So I want your thoughts like I think it's being proposed in the Philippines. Now, it's already a feature of a lot of different laws; I think data localization. For example, I was talking to someone the other day in India because I used to have teams in India, and even before their data protection law recently, it's been passed for decades, but you cannot take financial data from banking data out of India, just couldn't do it. Right. So, tell me a little bit about data localization for people who don't understand that concept and how that plays out. And why do you think that these countries really want data localization?

Kar Wong  18:30

Yeah, I think data localization is really a very tricky issue. Firstly, in order to facilitate international trade, data will really need to flow and not allow them to get out of the country. I think a lot of transactions in a lot of businesses cannot be done. But then again, although our country has data localization law, for example, about India with all about it in Indonesia, to some extent, China also has that requirement lately. Okay. It really doesn't mean that there's not a single record that can flow out. Basically, they're still regulations and some of the banking laws, telecom laws, and health care laws that to allow a situation in which you can get for me to send across even in China, they have this critical infrastructure, any operator, there is classified as critical infrastructure providers, such as telecoms, utilities, transportation, banking, of course, health care, and they will have a restriction data has to be SOCO localized, but if you want me to send out it's troublesome, but it's not the release cannot be done. I think the different countries may have different reasons why they want data localization. A lot of the time, it is about national security. National security is a phrase these days that the government uses to justify anything that they cannot explain. Okay, so they just use the word national security cost to business, particularly in some Businesses in the critical infrastructure sectors; they still allow, we still have excitation, and one of those has data across the border. Actually, I think all country has one common requirement when it comes to transferring it out of the country, somebody similar to what GDPR require, although none of us has that kind of Soho adequacy kind of concept; basically requires the country or the company that send data out to another country and show the other party as the sufficient measures. They can protect the data; if something happens to this we see receiving in the other country, the data controller over here will be hooked up by the authority to explain and be fine. In APEC, we have something going on for the privacy regulation, I think, which is to help to facilitate the trade with the exchange of data across the country within the APEC so that the scientists know how to facilitate the transfer of data.

Debbie Reynolds  21:04

You mean the APEC privacy framework?

Kar Wong  21:07

Yeah, within the framework, we have the CBPR cross-border, I think, privacy regulations. CBPR. Yeah.

Debbie Reynolds  21:16

Very good. One last thing about localization, and that is, what are your thoughts on it? Well, as an IT person, you probably have a good point of view about these two things by localization. One is that I feel that localization, in some countries, the one localization, part of it is that they want to make sure that the jobs related to data protection are in the country. That's one reason for localization. And then the other thing is, I personally don't think data localization solves the problems that companies think they see. So, in some ways, I feel like countries feel if the data is local, then it lowers the risk of it being breached or something like that. And I don't think that's necessarily true, especially because people are on the Internet. If the data wasn't traveling, I think it would be less risky in some way unless someone broke into a building and decided to do something with the data. So, what are your thoughts about that?

Kar Wong  22:22

I think there are two things you were talking about trying to keep the data on locally; data localization is gonna protect the DPO job; as you said, it's not really related. Because the law basically each of the countries primarily says or views, as long as they process personal data, you're supposed to appoint a Data Protection Officer. So, data protection officers among the many things that they do one of those is international data transfer is pretty messy, and many DPOs need to struggle with that. The other thing is, you're right now, data localization is not always easy to confine, although, of course, you can be eager; if you are found to have sent your data across without government approval, then the organization gets penalized. But we'll be able to enforce it successfully. I think only China doing well enough with your firewall. I was in China just about three months ago. It was a pretty frustrating experience again because I've been in China for many years in the past, and my Facebook, YouTube, and Google still work. But this time, I'm back in China, which is really difficult, getting more and more difficult. We need what we call function puncher, which means jump across the wall, jump across the wall, which is illegal. Okay, so there's already one who can get penalized a million renminbi for doing that recently, just about a week. So it is, again, I will say they do have this concern. Some country at least concerned about data being sent across one of the biggest fine in Asia recently is China, which of course, I've tried to live in the USA, and now they pull back and for listening USA, and a lot of data was stored in the USA. And technically, you can get a new suit for the US government, whoever else, or the Chinese government to be able to assess the data and understand the travel pattern and all those things for Chinese people. And we just do not really show the government. Interesting with that. But anyway, to get penalized for, among many other not exactly clear crimes, but this is one of those that the breach in the UK. Finally, I think it's a billion, maybe a billion dollars. Yeah.

Debbie Reynolds  24:31

Wow, that's fascinating. I want to talk a little bit about the APEC privacy framework. This framework that I actually like a lot, and I have seen I saw last year in 2022, that the US and APEC made up an agreement that they honor that agreement with the APEC the US as well. And so the thing that I liked about this framework is that it doesn't try to assume that all countries are the same. But they do try to say here are principles or foundational principles that we agree on if we're going to transfer data, but what are your thoughts?

Kar Wong  25:17

I think it is really cool to have the Asia Pacific privacy framework. And he actually the intent is to facilitate trade. In fact, the CBPR, and also the PRP certification program allows companies to apply in the sense that the company is so-called certified. And then they can really confidently and freely exchange data or pretty much like the adequacy kind of situation in the yield GDPR. And I, if you ask me, if anything, I mean, Salaberry is actually, I thought that they're just not that many companies signed up yet. Now, even just a couple of years back, the Singapore government just announced how many people signed up for CBP; I was totally surprised; it is way below 100. I hope that they are more, they will promote it more. And companies see that it is really beneficial. They have to see that it is beneficial before the private organization wants to sign on to this, but the principal, the intention, and the mechanism will help to facilitate trade.

Debbie Reynolds  26:20

I agree; what's happening in the world right now that's concerning you most around Data Privacy, data protection, and a couple of areas.

Kar Wong  26:31

One is the strained relationship between China and the United States and also maybe Europe in some way. How does this really you know, cannot subsequently when it comes to really cross border trade, they involve the data transfer, it is one, the other one is actually more technology related, it is actually coming up the AI recently, chat GPT really generated quite a fair bit of interest in a few months back. And we start to see AI governance being talked about a lot more in the privacy community. And interestingly, the AI government is under the purview of the Data Protection Authority. That also does it also mean that we privacy, people will start to also have to know about the AI Covenant as part of the scope of our job. What do you think?

Debbie Reynolds  27:24

Yeah, I agree; AI is concerned because the way that AI tools handle data makes it more complex to figure out how the data flows, you know, data flow in a straight line. So, I think AI in enterprises raises privacy risks depending on what goes into the model. And definitely, companies are concerned about people putting their personal company information into public AI systems; people are concerned about people putting company data into AI systems because then they lose control of that. But then also, what we're starting to see is so many tools we use every day are now implementing AI. So, I think it creates a situation where you have to go back and almost reassess or assess in a different way. But AI capabilities are being brought into these tools to make sure you’re not running afoul of the regulation. I think what AI tools are doing, especially for companies that weren't doing automated processing or weren't saying, okay, well, automated decision making, doesn't apply to me because I'm not using these tools. But then once you start adding AI to it and you have AI making decisions for companies, then you are doing automated decision making so you have to take a fresh look at your data and how your processes are put in place. What are your thoughts?

Kar Wong  29:02

Yeah, you're right. Well, AI is being used as a very powerful tool and is certainly to give anyone an organization or individual who really wants to harness their power to really intrude on your privacy. The reason I gave a talk at a conference organizer conference in Thailand is that one of my topics was the challenge to privacy in the AI era for somebody to think about it. Facial recognition is really a very intrusive technology when it comes to identifying us. In the past, we have CCTV and CCTV these days all over the place. However, they still need a manual person to go and trace out the person. Now AI can help you use facial recognition, and I'm able to tell with the help of the machine that Mr. Wong is in this location captured by CCTV number one, and 10 seconds later you appear in CCTV number two and is in another neighboring location, and you don't need people to trace the machine will tell you all right. So they Facial recognition. And, of course, another very controversial kind of company called Free View AI has generated quite a fair bit of concern in the world. Europe is not very welcomed by the authorities over there. Within Australia, for example. Other than that, the other thing that really concerns me very wary is the face, someone's body, and needed chatting; so easy to do; I can really literally go to the Internet, pay 10 bucks a month, and I can put any person face on, let's say a new body. And it is really difficult for the men to claim that does not mean profit is not Yo, come to a stop me. Okay. That is very scary. Yeah.

Debbie Reynolds  30:48

I agree. I agree. If it were the world, according to you, Kar, and we did everything that you said, what would be your wish for privacy anywhere, or data protection anywhere in the world, whether that be human behavior, regulation, or technology?

Kar Wong  31:06

I would think that there will always be people who don't quite know or care for privacy, which is known as the privacy paradox. It is still very much alive among my friends; there's one other thing is that they will people will continue to abuse it until they catch up with the regulations. But what I really wish is that as you progress, and I think we are progressing towards that, people will over time become more and more aware of privacy, that they actually have a choice, they can control it, they have a choice, they can control it the regulation that will help them that technology like the privacy enhancing technologies, where interesting technology can help our privacy. So today, if we look at any software, we would have expected the cybersecurity feature and functionality will be there password, two-factor authentication, and encryption, this kind of things you'd be the software doesn't come with them, we probably will not use the software. But I will say that in a couple of years’ time, we will also expect the privacy feature to be there in the software; we don't have a we are not going to be willing to use it. So today, we already have a lot of pop-up windows to ask you to choose your cookies; the report will warn you if you put too many email addresses in the To CC few of the other email addresses. So this is actually, literally, an improvement in protecting our privacy. So as technology progresses with this homomorphic encryption, the better use of differential privacy is going to drive industry, which is the capability to protect our privacy on the one hand where all the technology continues to progress. And also at the other side, there will be new things that come out, they can also violate our privacy. It's going to be a very interesting world.

Debbie Reynolds  33:01

I think so. 

Kar Wong  33:02

It's an interesting industry to be in. 

Debbie Reynolds  33:05

It is very interesting. I think you're going to be very busy. We're going to be very busy for quite some time. Absolutely.

Kar Wong  33:14

I love this field because the technology is new. I call my company Young Technology. Okay, one of my daughter is for young, but also this is young. This is really new. This is technology, this concept, this whole thing is young. And it's going to be young for you won't get over so fast.

Debbie Reynolds  33:29

That's right. I agree. I agree. Well, thank you so much for doing this call.

Kar Wong  33:38

Thank you.

Debbie Reynolds  33:40

Yeah, this is amazing. I'm so happy that we were able to chat as you know, I love to talk to people in different regions of the world. So I think this is very interesting and very needed information and perspective for people who don't understand Asia in general. Thank you so much.

Kar Wong  33:57

Okay, I hope I have not been talking nonsense. I hope it has been useful.

Debbie Reynolds  34:01

No, no, no, that's perfect. Absolutely. Perfect. Thank you so much. I'll talk to you soon. Okay, bye bye.