IP transactions in life sciences in ASEAN countries: data export controls

Technology and innovation is integral to all Association of Southeast Asian Nations (ASEAN) economies. Innovative businesses in the region thus need to stay abreast of the territorial legal/regulatory provisions regarding data and technology transfer to safeguard their rights during IP transactions, especially in the life sciences space.

We will explore three key aspects of IP transactions in life sciences in the ASEAN countries over the next three weeks.

In the first of a three-part article exploring key aspects of IP transactions in life sciences in the ASEAN countries, we examine data export controls.

The ASEAN Digital Ministers' Meeting approved the ASEAN Data Management Framework (DMF) and the Model Contractual Clauses for Cross Border Data Flows (MCCs) on 21 January 2021. The DMF aims to provide a comprehensive framework covering various data protection issues, including cross-border transfers, while the MCCs offer a template set of contract terms with regard to data transfers within the ASEAN region. Some fundamental data protection principles set out by the MCCs include:

• legal basis for data collection;
• use and disclosure;
• baseline data protection clauses; and
• data breach notification.
   

However, adoption of the MCCs does not guarantee compliance with national data protection laws. In fact, the clauses include optional terms that may be tailored to local requirements. It is thus crucial for businesses to review their data protection policies to ensure that they comply with local legislation.

Singapore

The Personal Data Protection Act 2012 stipulates that data may only be transferred to a party in a different jurisdiction if the recipient is bound by legally enforceable obligations to provide protection comparable to that under the act (eg, use of contractual clauses and corporate rules). However, there is no requirement to register the use of personal data with data protection authorities, for example, Personal Data Protection Commission.

Malaysia

The Malaysia Personal Data Protection Act 2010 states that no personal data, including patients’ personal data relating to physical or mental health, shall be transferred out of the country, unless to such places specified by the minister through publication of a gazette. Yet, to date, there has been no gazetted notification of any permitted country issued by the minister. In the absence of a white list of safe harbour countries, Section 129(3) of the act applies, which permits the transfer of personal data abroad provided, for example, that the data subject has given their consent, that the transfer is for the purpose of legal proceedings or that it is necessary to protect the vital interest of the data subject or the public.

For patients’ personal data, it shall only be processed in accordance with the circumstances set out in Section 40(1) of the act. These include:

• explicit consent from the data subject;
• confirmation that the processing is for the purposes of, for example, exercising any right or obligation conferred by law on the data user in connection with employment, for medical purposes or for the purpose of legal proceedings; and
• confirmation that the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

Indonesia

Indonesia has no data protection law regulating data export control. However, companies must generally comply with the following procedures to transfer personal data overseas:

• coordinate with the Minister of Communication and Informatics or the officer/agency authorised for such matters; and
• obtain written consent for the processing of personal data for marketing purposes.

The Philippines

In the Philippines, the Data Privacy Act 2012 seeks to regulate the collection, storage, use or destruction of personal data/information. Specifically, where sensitive personal information is being processed, notice and prior consent should be obtained. The act does not otherwise restrict the transfer of personal data outside the Philippines. However, if an organisation transfers data to a data processor, whether in the Philippines or overseas, it must ensure that proper safeguards are in place, including entering data processor agreements in respect of cross-border transfers of data.

Thailand

Thailand has no specific law on exporting data. However, personally identifiable information is covered under its Personal Data Protection Act, which is expected to come into force in May 2022. In the event of sensitive data, the act requires permission from the data subject. In addition, personal data can be transferred to other countries or international organisations with adequate personal data protection standards, unless exemptions apply.

Vietnam

The current laws state that patients’ health status and private information in their case history dossiers may be disclosed only with their agreement, or for exchanging information between practitioners directly treating the patients to improve the quality of diagnosis and treatment, or in other cases provided by law. Although there are no statutory restrictions to cross-border transfer of such data, patients’ consent must be obtained.

Further, a draft Personal Data Protection Decree is currently under review by the government. This states that it is necessary to register with the Personal Data Protection Committee before processing data in life sciences, including for health (considered sensitive personal data). Additionally, Vietnam has a system that stores cross-border data transfer history for at least three years. The data subject's consent, proof that the destination country possesses the same level of data protection as Vietnam and approval of the transfer by the committee must be satisfied. However, these provisions for cross-border data transfer have been controversial with regard to their enforceability and many foreign-invested companies and large offshore data-reliant corporations have proposed removing such strict registration requirements. Thus, no official legalisation date of the Personal Data Protection Decree has yet been confirmed.

India

Cross-border data transfer is regulated under general data protection legislation in relation to personally identifiable information, as well as sector-specific regulations regarding specific types of personal and non-personal data.

General data protection legislation, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 restrict the transfer of sensitive personal data (including health conditions, medical records, financial data and biometric information) outside of India. Exceptions arise where a transfer is made to a country ensuring the same or similar level of data protection under the rules, and where it is for the performance of a lawful contract with the information provider or with that person’s consent. In addition, forthcoming legislation in the form of a Data Protection Bill 2021 requires data fiduciaries to store a copy of sensitive information within India and only permit transfer abroad with consent. It is also necessary to implement a legal basis for transfer, such as an approved contract or on specific authorisation of the Data Protection Authority or the central government.

The New Drugs and Clinical Trials Rules 2019 do not restrict cross-border transfer of clinical trial data. However, it is advisable to store a copy of the clinical trial records locally, in case the Drugs Controller General of India (the authority for approval and regulation of clinical trials) requests it. In addition, the Indian Council for Medical Research National Ethical Guidelines require all research involving international collaboration or funding to have the prior approval of the Steering Committee of the Ministry, and that data transfers may be made on the basis of data transfer agreements or material transfer agreements. These agreements must clearly state the purpose of transfer, confidentiality, access, intellectual property, consent, security measures and data ownership.

Comment

Thus, while there are no blanket restrictions on transfer of life science data outside these ASEAN countries, such data must be transferred in compliance with applicable data protection law or guidelines.

Next week, we examine IP ownership and sharing.

JurisAsia LLC is an independent Singapore firm exclusively associated with Gowling WLG (UK) LLP.