08 Aug ASEAN Today – Regional Legal and Business News – July 2022

ASEAN Today – Regional Legal and Business News for July 2022 including Corporate Law News on the Preparation and Maintenance of Records for Personal Data Processing Activities and Security Measures for Personal Data.

 Download PDF

ASEAN Economic Community News

ASEAN Higher Education Roadmap
ASEAN launched the Roadmap on the ASEAN Higher Education Space 2025 and its Implementation Plan (Roadmap) earlier this month. The Roadmap is part of the ASEAN Community Vision 2025 and pictures a resilient and sustainable ASEAN Higher Education Space that harmonizes and internationalizes the region’s higher education systems by creating a common qualifications framework and quality assurance regime. The Roadmap includes mutual recognition of credentials, a digital credit transfer system, and a collective approach to higher education mobility. It would allow governments and private funders to pool funds to create the ASEAN Version of ERASMUS+, the EU’s program to support education, training, youth and sport. A two-year implementation timeline is planned to allow ASEAN national governments to build key features of the Roadmap including ASEAN scholarships and an ASEAN version of Europe’s diploma support as well as mechanisms to ensure financial sustainability for the Roadmap.

ASEAN Companies Sustainability
A new study by international independent standards organization and a Singaporean university says that as climate change becomes a more important issue and sustainability requirements continue to emerge across the region, companies in ASEAN countries with stricter reporting rules are taking the lead in disclosure. The study focused on the 100 biggest listed companies in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam and found that Thailand, Malaysia, and Singapore are the strongest in climate-related reporting. The report says that, in general, ASEAN companies scored best in reporting on climate change, greenhouse gas emissions, energy consumption, and identifying risks and opportunities. However, they fell short in formulating long-term climate strategies and governance and performance.

ASEAN+6 Steel Production Growth
Experts say that future steel production in the ASEAN-6 countries will increase to 90 million metric tons, up from the current 72 million, with the commissioning of ongoing capacity projects mainly focused in Indonesia, Malaysia and Vietnam. There will be 30 million metric tons of new capacity steel production in Malaysia with 21 million metric tons slated to commence in 2024. There will be an additional 20 million metric tons production capacity in Vietnam in 2023, and Indonesia will have 12 million metric tons of new capacity from 2022-26. There will also be a shift from scrap base production to iron ore base production in the ASEAN-6 in 2026 and blast furnace steel production will dramatically increase and trade flows of iron ore will turn to the ASEAN region due to higher iron ore demand.

Indonesia News
Digitization of Public Services
The Indonesian government announced that it will implement a data-driven policy and accelerate the digitalization of public services by integrating super apps for public services into one app, One Indonesia Data. The government plans to terminate around 24,400 applications that will then be gradually added to the super apps. Indonesia currently uses 2,700 data centers to implement its electronic government; however, only 3% of the data is cloud-based, a serious challenge for Indonesian data producers. The government plans to build four new cloud-based data centers to help realize more efficiency in national data management.

Laos Update
Digital Business Tax
Laos recently implemented tax obligations for non-resident digital platforms and e-commerce service providers. Under the new requirements, non-resident e-commerce and digital platform providers must register for a tax identification number (TIN) via an online portal to file and pay taxes. They must also register for and pay value-added tax (VAT) if their annual revenue exceeds USD 34,000 a year. Tax requirements and rates for resident individuals who earn income from e-commerce or digital service platforms are also included. E-commerce marketplaces and digital platform services liable under the new tax regime include providers of online music, films, and games, streaming services providers, e-commerce services for sellers and buyers, online advertising platforms, and online booking platforms for travel and accommodation.

Singapore Bulletin
Regulating Cryptocurrencies
As part of the Singaporean government’s stance on regulating cryptocurrency, the Monetary Authority of Singapore (MAS) plans to add measures to protect consumers in addition to its ongoing work to counter money laundering and terrorist funding. Currently, Singapore regulatory regimes do not cover consumer protection, market conduct, and reserve backing for cryptocurrencies. Singapore continues to repeatedly warn retail investors to avoid cryptocurrency as it increases regulations on operators through licensing requirements and restrictions on advertising, especially after the recent collapse of three crypto-businesses headquartered in Singapore.

Vietnam Watch
Top Investment Destination
Experts say that Vietnam has become a top destination for investment in manufacturing over the past ten year due to lower labor costs, simpler supply chain integration, better free trade access, and relative political stability. Also, incorporating Vietnamese producers into supply chains is relatively straightforward both upstream and downstream as Vietnam has two international airports, several major ports, reliable power, and easy internet access. Vietnam’s shared border with China also makes it easier for manufacturing firms in Vietnam to integrate into China’s vast network. Vietnam’s political stability and relative security are also reasons why investors favor Vietnam over the ASEAN+4 nations of Indonesia, Malaysia, Thailand, and the Philippines.

Indonesia News
Palm Oil Export Levy Cancelled
The Indonesian government has canceled its export levy for all palm oil products until August 31, 2022, in an attempt to boost exports and ease high inventories. However, this could further depress palm oil prices that have fallen by 50% since April 2022. Palm oil producers have also been struggling with high inventories after the government imposed a three-week export ban in May 2022 to reduce domestic cooking oil prices. Since lifting the ban, the government has also implemented rules on mandatory local sales, domestic market obligations, to keep produce at home to be made into cooking oil.

Thailand Update
New Government Services App
Thailand announced the launch of the All-in-One Public Services App, Tang Raat, as part of the 20-year national policy to make critical government services accessible to all Thai citizens through the One Stop Service (OSS) network. Experts and employees from seven government departments created the mobile application and people will be able to use the app to contact government agencies in their respective provinces including the Office of the Consumer Protection Board, access numerous government services through the citizen portal website, pay bills, and get important information about benefits.

THAILAND LEGAL REVIEW

Corporate Law News
Preparation and Maintenance of Records for Personal Data Processing Activities
The Notification of the Personal Data Protection Committee on the criteria and methods for the preparation and maintenance of records for personal data processing activities of data processors B.E. 2565 (A.D. 2022) will come into effect 180 days from the date of publication in the Royal Gazette (December 18, 2022). The data processor must prepare and maintain records, whether in written form or electronic form, with at least the following details:
(1) Name and information relating to the data processor, and representative of the data processor (In the case that there is the appointment of a representative)
(2) Name and information relating to the data controller who the data processor carries out according to the orders given by or on behalf of such data controller, and representative of data controller (in the case that there is the appointment of a representative)
(3) Name and information relating to the Data Protection Officer (DPO) including contact address and method of contact (In the case that the data processor appoints a DPO)
(4) Categories or natures of the collection, use, or disclosure of personal data that the data processor carries out according to the orders given by or on behalf of such data controller, including personal data and purposes of the collection, use or disclosure of personal data as assigned from the data controller
(5) Categories of persons or entities receiving personal data (In case of submission or transfer of personal data to a foreign country)
(6) Explanation on the security measures for personal data

However, such records shall be easily accessible and can be shown to the Personal Data Protection Committee, data controller, or the persons assigned by the Personal Data Protection Committee or data controller to check immediately upon request.

Security Measures for Personal Data
On June 21, 2022, the Notification of Personal Data Protection Committee on security measures of personal controller B.E. 2565 (A.D. 2022) became effective. The data controller shall provide appropriate security measures to prevent unauthorized or unlawful loss, access, use, alteration, correction, or disclosure of personal data. The security measures shall at least be as follows:
1. Security measures shall cover the collection, use, and disclosure of personal data in accordance with the laws concerning personal data whether in document form or electronic form or other forms
2. Security measures shall consist of appropriate organizational measures and technical measures which may include necessary physical measures by taking into account the level of risk according to the nature and purpose of the collection, use, and disclosure of personal data as well as the possibilities and impacts from personal data infringement
3. Security measures shall take into account the maintenance of security from specifying significant risks that may occur to significant information assets, prevention of significant risk that may occur, examination and surveillance of threats and infringement of personal data, actions when threats and infringement of personal data are found, as necessary and appropriate and it is possible according to the level of risks
4. Security measures shall take into account the capability of confidentiality, integrity and availability of personal data as appropriate according to the level of risks by considering factors on technology, context, environment, acceptable standards for agencies or businesses in the category or in the same or similar manner, natures and purposes of collection, use and disclosure of personal data, required resources and the possibility of taking action altogether
5. For the collection, use, and disclosure of personal data in electronic form, the security measures shall cover any components of information systems relating to the collection, use, and disclosure of personal data, such as systems and equipment for data storage, servers, clients and other devices as used, networks, software and applications, as appropriate according to the level of risk, by considering the principle of defense in depth that should consist of multiple layers of security controls to reduce risks in the case that there are restrictions for certain measures to protect security for certain situations
6. Security measures in the part of access, use, change, correction, deletion or disclosure of personal data, shall at least be composed of the following actions as appropriate according to the level of risk, by considering the necessity of access and use according to nature and purpose of the collection, use, and disclosure of personal data, security according to the level of risk, required resources and the possibility of taking action altogether:
– A) Control of access into personal data and components of information systems that are significant (access control), which include identity proofing and authentication and authorization as appropriate by considering need-to-know basis according to the principle of least privilege.
– B) Appropriate user access management which may include user registration and de-registration, user access provisioning, management of privileged access right, management of secret authentication information of users, review of user access rights and removal or adjustment of access rights.
– C) User responsibilities to prevent unauthorized or unlawful loss, access, use, alteration, correction or disclosure of personal data, which include where actions are made out of duties as assigned as well as unauthorized or unlawful making copies of personal data, and stealing of devices for the storage and process of personal data.
– D) Providing methods for traceability of access, change, correction or deletion of personal data (audit trails) which is appropriate with methods and media used for collection, use or disclosure of personal data

7. Security measures shall include providing privacy and security awareness and notification of policies, practices, and measures of personal data protection and security of data controllers as appropriate, to personnel, officers, employees, or other users or related to access, collection, use, change, correction, deletion or disclosure of personal data for acknowledgement and practice, including any amendment of such policies, practices and measures by considering natures and purposes of collection, use and disclosure of personal data, level of risks, required resources and the possibility of taking action altogether.

Data controllers shall also provide a review of security measures when necessary, or when the technology changes, for the efficiency and appropriation of security, by taking into account the level of risk based on factors on technology, context, environment, acceptable standards for agencies or businesses in the category or in the same or similar manner, nature and purpose of collection, use and disclosure of Personal Data, required resources, and the possibility of taking action altogether.

Additionally, for the agreement between the data controller and data processor, the data controller shall consider and assign the data controller to have appropriate security measures, including informing the data controller of personal data infringement. Such security measures shall meet the minimum standard as mentioned above.

Disclaimer
The material contained herein is only provided for information purposes. No part thereof may be deemed to constitute legal advice or the opinions of this law firm or any of its attorneys. Whilst every effort has been made to verify the contents of the material contained herein, we do not represent, warrant, undertake, or guarantee that the information contained in this newsletter is correct, accurate, or complete. Legal advice must be sought before acting on any information contained herein.