Joshua Woo advises a wide range of clients on all things data protection, including cross-border data transfers, data breach notifications and cybersecurity incident response. Joshua also helps clients with their technology-related needs, including preparing template documentation and platform terms, and counselling clients on their use of novel technologies such as generative AI.
Clients look to Joshua for his extensive experience in data protection and cybersecurity matters, and he has acted as breach coach for hospitality, pharmaceutical, retail and healthcare companies, and financial institutions. Joshua also leverages his experience as a seconded legal counsel to a Singapore digital bank, where he spearheaded the bank’s technology procurement, to provide tailored and practical advice to in-house counsel.
Joshua’s most notable matters include representing a Singapore IT service provider in Committee of Inquiry proceedings convened to investigate a cyber-attack resulting in Singapore’s largest data breach, and advising a Fortune 500 company on their cross-jurisdictional data flows and structuring of a data lake arrangement for the commercialisation of health care data.
Joshua is a prolific author of legal updates, has co-authored Lexology’s Getting The Deal Through for Data Protection & Privacy in Hong Kong and China for 2023 and 2024, and has been featured in leading third-party publications such as the Privacy Laws & Business International Report, the Global Legal Post and the journal of The Hong Kong Chartered Governance Institute.
Joshua is a Certified Information Privacy Professional in Asia (CIPP/A) by the International Association of Privacy Professionals (IAPP). Joshua is also an accredited mediator with the Singapore Mediation Centre (SMC).
- Advised a global cargo operator in relation to a data privacy project involving the review of its template tender documents, data protection agreements and data processor compliance checklist to ensure compliance with applicable personal data privacy requirements, including the PDPO and GDPR, triggered by cross-border transfers of personal information held by its customers. The project involved conducting interviews with representatives from its seven (7) business units, understanding its business operations and data privacy-related requirements, working with stakeholders to prepare the template documentation and giving a final presentation to the board of management.
- Advised a global automobile manufacturer on its data breach notification requirements under the PRC Data Privacy Laws such as the Personal Information Protection Law, Cybersecurity Law and Data Security Law and recommend changes on a process level to ensure compliance with the aforementioned PRC Data Privacy Laws.
- Advised a leading technology company on the permissibility of its collection and retention of IDs in ten (10) jurisdictions across APAC.
- Assisted leading global manufacturer of specialty chemicals and high-performance carbon materials with reviewing various privacy documents and notices to ensure compliance with the requirements of the PIPL.
- Advised and assisted a global US-headquartered education and publishing company in a data privacy compliance exercise to ensure that its data collection streams and usage processes are compliant with PRC Data Privacy laws.
- Conducted a data audit of a global video communication software company data flows in the PRC in order in order to determine the applicability of PRC Data Privacy Laws such as the Personal Information Protection Law, Cybersecurity Law and Data Security Law, and recommend changes on an operational level to ensure compliance with the aforementioned PRC Data Privacy Laws and data localisation requirements.
- Advised the private equity and asset management arm of a leading Korean-headquartered global financial services group on PIPL and other data privacy, data security and cybersecurity laws, with a particular focus on requirements relating to the restrictions on cross-border data transfers and data retention requirements. We also provided our recommendations on steps to take to comply with or mitigate the risk of any non-compliance with the PIPL and other relevant laws.
- Advised a global bank on the compliance of its data privacy practices vis-à-vis employee surveillance data in fifteen (15) jurisdictions across APAC.
- Advised global investment management and advisory firm on applicability of PIPL to its PRC and foreign entities in relation to the processing and transfer of its PRC-based employees, and recommended steps to be taken to comply with the PIPL.
- Advised leading global insurance provider on applicability of PIPL to its Hong Kong entity with no legal presence in the PRC in respect of the collection and processing of its PRC-based customers and the relevant obligations under the PIPL. We also provided our recommendations on the steps to be taken to avoid the risks of any non-compliance with the PIPL.
- Advised a Fortune 500 company on their cross-jurisdictional data flows and structuring of a data lake arrangement for the commercialisation of health care data.
- Advised a major American sporting apparel company on their data protection obligations across Singapore, Malaysia, Thailand, Philippines and Indonesia.
- Advised a major American cloud-based software company on a transfer impact analysis relating to the impact of Singapore law on data transferred from the EU in the wake of the Schrems II decision.
- Conducted data protection compliance exercises and audits for companies operating in various industries (including healthcare, property management and hospitality) on compliance with Singapore’s Personal Data Protection Act 2012 (PDPA).
- Advised a major insurer on a number of complaints to the Privacy Commissioner arising from its data collection, retention and direct marketing practices.
- Represented a Singapore IT service provider in Committee of Inquiry proceedings convened to investigate a cyber-attack resulting in Singapore’s largest data breach.
- Acted for an international hospitality client in a data breach caused by a cyber attack perpetrated by an advanced persistent threat leading to the exfiltration of guest data in multiple jurisdictions. Co-ordinated investigation of the incident; handled advocacy before privacy regulator; coordinated notification to affected parties.
- Acted for a pharmaceutical client in a data breach caused by a ransomware attack. Coordinated investigation of the incident, responses to stakeholders and customers, and advising on notification obligations to privacy regulators.
- Advised a Hong Kong conglomerate on a data privacy breach involving an employee.
- Advised a leading pan-Asian retailer on a data breached caused by a brute force attack on its mobile application, including providing response to the privacy regulator and successfully argued that no investigation should be initiated against the client.
- Acted for a quango in a data breach caused by a ransomware attack. Coordinated investigation of the incident, review of internal procedures and suggested remediation roadmap, providing response to the privacy regulator, reviewing communications to the public and stakeholders.
- Advised a Singapore healthcare organization in a data breach caused by a cybersecurity breach of a third-party provider offering transportation services. Coordinated investigation of the incident and advised on data breach notification requirements to the privacy regulator.
IP & TMT Advisory
- Advised a global financial institution on the preparation of its suite of template procurement documentation, including SaaS, service, software development and hardware procurement.
- Advised an investment company on the review of its template procurement documentation for Hong Kong and Singapore law compliance.
- Acted for a government-linked entity’s investment into an exhibitions company specialising in the exploitation of movie IP, assisted with the IP aspects of the transaction, including the scoping, coordination and conduct of IP due diligence on the target’s upstream and downstream agreements with rights owners and exhibition promoters. The target company raised a total of S$235 million in this round of private fundraising.
- Advised a leading APAC investment firm on the preparation of documentation for its property management mobile application.
- Advised a global technology company on data protection and telecommunications regulations relating to its multi-functional new-to-market IoT device.
- Advised a global hospitality company on the procurement of a cloud-based guest management solution.
- Advised a multi-platform media company on the implications of virtual advertising and post-production digital insertion of advertisements into works.
- Advised a regional health provider on the procurement and implementation of a Human Resources IT system.
- Advised a cloud computing company on the offer of Cloud SMS services as part of its services and relevant telecoms licence in Hong Kong.
- Advised a cloud computing company on the provision of content delivery network point-of-presence services in Macau.
- Advised on the regulatory side in the due diligence aspect of M&A transactions.
National University of Singapore, LLB
Second Upper Class Honours
- Member, Singapore Academy of Law
- Member, Law Society of Singapore
- Notable Practitioner - Hong Kong – Managing IP IP Stars (2023)