What are the Privacy Laws in Asia ?
Disclaimer: The reader understands and acknowledges that Responsible Cyber/Magda Chelly is not a law firm/lawyer and does not provide legal advice in connection with Magda’s furnishing of articles and information about privacy laws and regulations. The reader shall consult with their legal counsel as appropriate before deciding whether to act upon information written and described in this article.
A privacy law is a statute, passed by a legislative body, that regulates the collection, use, and dissemination of personal information. Personal information is any information that can be used to identify an individual. This includes name, address, Social Security number, credit card numbers, and so on.
Privacy laws are designed to protect the individual’s right to privacy by limiting the way in which personal information can be collected, used, and disclosed.
A company can collect, store, process or use various type of information; not only personal information, for example financial statements, confidential strategy plans, amongst others. However, only personal information is regulated under privacy laws.
Usually if a company wants to store personal information, it must have a reason to do so (e.g., the individual has given consent for the company to store their information). There are a few common reasons why a company would want to store personal information:
To provide better customer service (e.g., if the company needs to contact the customer about an order they placed)
- To target ads or marketing materials to specific customers
- To comply with government regulations (e.g., financial institutions must keep records of all transactions)
- To prevent fraud or identity theft
Why privacy laws are important?
Privacy laws are important because they help protect our personal information — information that we may not want others to have access to.
For example, imagine you applied for a loan online. If the lender could see all of your other online activity, they might be able to determine whether or not you’re likely to default on the loan. Or if an employer could see your social media posts, they might get a sense for your personal life (which could impact whether or not you’re hired).
Privacy laws help protect our personal information from being accessed and used in ways that we may not want it to be used.
And that’s why they’re so important!
Does every country in the world have a privacy law ?
Different countries have different privacy laws. Most developed countries have some form of privacy law in place to protect citizens’ personal information.
For example, the United States has the Privacy Act of 1974, which requires federal agencies to protect individuals’ personal information from unauthorized disclosure. The Privacy Act of 1974, as amended, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. And the European Union has the General Data Protection Regulation (GDPR), which regulates how personal data can be collected, used, and shared by companies dealing with EU residents’ data. The GDPR is a EU data protection law that came into effect on May 25, 2018. The GDPR replaces the 1995 EU Data Protection Directive. It strengthens EU data protection rules by giving individuals more control over their personal data, and establishing new rights for individuals. Under the GDPR, all organizations that process the personal data of EU residents must comply with specific regulations. These regulations include obtaining consent from individuals before collecting or processing their personal data, informing individuals about their rights under GDPR, and appointing a Data Protection Officer (DPO) under certain circumstances. Organizations that fail to comply with GDPR can be fined up to 4% of their global annual revenue or €20 million (whichever is greater).
137 out of 194 countries had put in place legislation to secure the protection of data and privacy. Africa and Asia show different level of adoption with 61 and 57 per cent of countries having adopted such legislations. The share in the least developed countries in only 48 per cent. [Source: https://unctad.org/page/data-protection-and-privacy-legislation-worldwide] So yes, every country does not necessarily have a privacy law, but most developed countries do have some sort of law in place to protect their citizens’ personal information.
Follow me on Twitter for more updates about security and privacy:
What about privacy laws in Asia?
Let’s start with Singapore.
The Personal Data Protection Act (PDPA) of Singapore was established in 2013 on 2 Januar, while it was started in 2012. The current version as per the 13th of April 2022 is listed here. It sets out the ground rules on how organisations may collect, use or disclose “personal data”. The PDPA covers any information that can be used to identify an individual, such as name, contact details, identification numbers, photograph and email address.
The PDPA requires organisations to take steps to protect personal data from unauthorised access, collection, use, disclosure or destruction. They must also put in place measures to ensure that the personal data is accurate, complete and up-to-date. Lastly, they must inform individuals about their rights under the PDPA and seek consent before collecting, using or disclosing.
More information on the official PDPC website: https://www.pdpc.gov.sg/
Let’s understand India’s privacy regulations journey.
While there is no dedicated privacy law in India that is completely enforced, the country does have a number of laws and regulations that address privacy and data protection. These include the Constitution of India, the Information Technology Act 2000 (ITA), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, amongst others.
When India’s Supreme Court ruled in 2017 that “privacy” is a fundamental right under Article 21 of the Indian Constitution, it laid the groundwork for a single-strategy law for data protection in the country, which has been hailed as one of the most significant Supreme Court decisions in recent memory.
As a result, the Sri Krishna Committee was formed, and in 2018, the Personal Data Protection Bill was first launched. Minister of Electronics and Information Technology (MET) presented Personal Data Protection Bill 2019 (“PDPB”) to Rajya Sabha after making amendments based on comments from industry and stakeholders. Data sharing regulations in private contracts in India should be overhauled, according to this version of the PDPB.
A review of the PDPB’s implementation, however, was sent to Parliament’s Joint Committee of Parliament (JPC) in 2019. The JPC spent two years deliberating on the PDPB’s intricacies.
In the meanwhile, in July 2020, a committee of experts established under MEITY published a report on the Non-Personal Data Governance Framework (“NPD Report”). With this report, corporations, start-ups, and even the government were given a framework for unlocking the economic, social, and commercial worth of non-personal data. Releasing an updated NPD Report in January 2021, the same committee further clarified how the PDPB would operate in conjunction with the framework established for non-personal data governance while also limiting scope and purpose.
A new report and a legislative draft were then presented by the JPC in November 2021. Data Protection Bill 2021 (“DPB”), the new name for the PDPB, was introduced in its latest incarnation, and it included a number of major revisions. The law’s scope was expanded to include non-personal data as well as personal data. DPB also implemented stringent data breach reporting requirements, regulation of hardware manufacturers, enabling a certification mechanism for all digital and IoT devices to mitigate data breaches, and an additional compliance measure of consulting the Central Government for cross-border transfer of sensitive personal data.
However, various stakeholders strongly objected to the legislation’s focus. Thus, the future of the DPB is now unknown.
At this point in time, it looks like India’s five year journey toward developing a solid privacy and data security framework has stalled. The next few months will be significant for India’s data governance structure. [Source: https://www.lexology.com/library/detail.aspx?g=57720842-f709-4dd4-947b-44c3c6e4ed10]
Let’s look at Indonesia, and its privacy regulation.
There is no single privacy law in Indonesia, but there are a number of laws that protect certain aspects of privacy. The Constitution of Indonesia guarantees the right to privacy. In particular, Article 28G of the Constitution states that ‘each person shall have the right to the protection of their personal selves, families, respect, dignity, and possessions under their control.’
Several other laws deal with specific aspects of personal privacy, such as the Law on Electronic Information and Transactions (2008), and the Law on Telecommunication (2009). However, these laws do not provide a comprehensive framework for protecting personal data, and they are not always effectively enforced.
Let’s discover China’s privacy laws.
China does have a privacy law. China passed the Personal Information Protection Law (中华人民共和国个人信息保护法)1 (“PIPL”), which took effect on 1 November 2021.
“Personal information processing entities (PIPEs)” are defined as “an organization or individual that independently chooses the goals and methods for processing personal information” under the PIPL. Processed personal data is defined under the Personal Information Protection and Electronic Documents Act (PIPL) as “different sorts of electronic and otherwise recorded information belonging to an identified or identifiable natural person, except anonymized information” (PIPL Article 4).
According to the PIPL, the EU’s GDPR is quite comparable, including its extraterritorial reach, limits on data transfer, compliance duties, and consequences for non-compliance, among others. However, even firms who do business in China but handle customer data elsewhere should be concerned about the PIPL, since failure to comply might result in financial fines as well as the company being included on the government’s “blacklist.”
Let’s look at the Philippines.
The Philippines has a data privacy law known as the Data Privacy Act of 2012. This law provides guidelines for how businesses should collect, use, and protect personal data. The law also establishes certain rights for individuals with respect to their personal data. Finally, the law creates a new agency, the National Privacy Commission, to oversee compliance with the Data Privacy Act.
Further information is available here: https://www.privacy.gov.ph/data-privacy-act/
Let’s consider Japan.
Japan has a privacy law. APPI and the Personal Information Protection Commission (“PPC”), a national government agency charged with overseeing privacy issues, manage Japan’s privacy laws.The Personal Information Protection Law (PIPL) went into effect on April 1, 2005. The PIPL regulates the handling of personal information by companies and organizations in Japan.
As part of its initial implementation in 2003, the APPI was amended on May 30th, 2017. On 5 June 2020, the Japanese Diet approved a bill to further amend the APPI (“Amended APPI”). The Amended APPI took effect on April 1, 2022.
The PIPL requires companies to obtain consent from individuals before collecting, using, or disclosing their personal information. Companies must also take measures to protect the personal information they collect and must disclose their privacy policies to individuals. Sanctions for violating the PIPL can include fines and imprisonment.
Further information is available here: https://www.ppc.go.jp/en/
Let’s look at South Korea.
South Korea has a privacy law. The Personal Information Protection Act 2011 (as amended in 2020) (‘the PIPA’) and its implementing regulations covers the collection, use, and disclosure of personal information. The act also establishes standards for data security, including the destruction of personal information that is no longer needed.
The law applies to any business that collects, uses, or discloses personal information. This includes businesses located outside of South Korea if they collect, use, or disclose personal information about individuals in South Korea.
Personal data must be handled in accordance with strict rules set out by South Korean data protection regulations at every stage of its lifetime.
Data subjects’ permission is nearly always necessary, in theory, to treat their personal data under these regulations.
Let’s understand Malaysia.
Malaysia does have privacy laws in place. The Malaysian government has been active in recent years in introducing and enacting a number of legislative initiatives aimed at protecting the privacy of its citizens.
One such law is the Personal Data Protection Act (PDPA) 2010, which regulates the collection, use, disclosure and care of personal data. The PDPA applies to all organisations with operations in Malaysia, regardless of size or industry sector. Under the PDPA, organisations are required to take reasonable steps to protect the personal data they collect from unauthorised access, misuse, disclosure or destruction. The penalty for non-compliance is between RM100k to 500k and/or between 1 to 3 years imprisonment.
Another key law relevant to privacy in Malaysia is the Communications and Multimedia Act 1998 (CMA).
Let’s jump into Thailand.
It is a bit complicated. Personal data protection became legislation in Thailand on May 28th, 2019.
There are also a few other laws that provide some protection for personal data, such as the Electronic Transactions Act 2001 and the Computer Crime Act 2007. These laws criminalise certain acts that could potentially violate someone’s privacy, such as unauthorised access to computer systems or interceptions of electronic communications.
As Amended by the Electronic Transactions Act, (№2) B.E. 2551 (2008) This Act supports the legal effects of electronic and commercial electronic transactions conducted electronically, as well as electronic transactions of the public sector, such as registration, payment.
Thailand’s Personal Data Protection Act (PDPA) comes into full effect this year. In June 2022, Thailand’s first comprehensive data protection legislation will be completely enforced.
Let’s check Vietnam.
There is no single privacy law in Vietnam that covers all aspects of data privacy. However, there are several sector-specific laws that deal with privacy, including the Law on Electronic Transactions, the Law on Cybersecurity,
the Penal Code, and the Civil Code. These laws contain provisions on the protection of personal data, confidentiality obligations, data breaches and their consequences.
Vietnam’s Cybersecurity Law mandates that domestic or international cyberspace service providers that engage in activities such as data collection and analysis must keep such data in Vietnam, regardless of whether the service providers are local or foreign.
Let’s look at Cambodia.
Cambodia does not have a distinct privacy law. However, the Cambodian Constitution provides for the right to privacy, and several laws contain provisions relating to data protection. In addition, Cambodia is a party to the International Covenant on Civil and Political Rights, which contains provisions relevant to privacy rights.
Lastly, let’s view Brunei.
Brunei has a privacy law. The country’s privacy regime is based on the 2006 Telecommunications Act, which provides for the protection of personal data. The act requires telcos and ISPs to take reasonable measures to protect subscribers’ personal information from unauthorized disclosure. In addition, the act prohibits the use of subscriber information for marketing purposes without the subscriber’s consent.
A response to the public consultation it had launched on the envisaged functioning of the proposed Personal Data Protection Order (‘PDPO’) was issued by Brunei Darussalam’s Authority for Info-Communications Technology Industry (‘AITI’) on 3 December 2021.
The scope of the PDPO, important terminology, and duties for organizations and data intermediaries will be examined in the first part of this series.The Privacy Act also applies to businesses that collect, hold, use or disclose personal information in the course of their business activities. The Act contains a number of provisions relating to data protection, including requirements for the collection, storage, destruction and retention of personal information. Businesses must take reasonable steps to protect personal information from misuse and loss, as well as unauthorized access.
It does not matter whether a company is incorporated or recognized by Brunei law, or if it is based in Brunei Darussalam, if it collects, uses, or discloses personal data in the territory, the PDPO applies.
The rapid growth of the digital age has led to a corresponding increase in data privacy concerns. As more and more businesses move online, it is important to be aware of the various privacy laws that apply to your industry and region.
Asian countries have been taking data privacy seriously, with new laws being enacted regularly. These laws are a reminder that businesses need to keep data privacy in their radar as they expand into new markets.
The need for data privacy is not just a matter of complying with regulations; it’s also about respecting the privacy of your customers. By ensuring that your company takes steps to protect user data, you can build trust and loyalty among your customer base. And, as we all know, happy customers are more likely to return and recommend your business to others.
By keeping data privacy in your radar, you can help protect yourself, your customers, and your business from potential legal issues.
What have been some of the biggest challenges you’ve faced in protecting customer data? Let us know in the comments below!
By Magda Chelly
Chief Security Officer | TEDx Talk | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)
Find out on magda-on-cyber.com
- The IFSEC Global influencers in security and fire 2021
- Top Women in Security Asean Region 2021 Awards https://www.asiapacificsecuritymagazine.com/winners-and-judges-of-the-top-women-in-security-asean-region-2021-awards/
Follow Magda on her Social Media Accounts: