2025 Data law trends
7. Asia’s privacy laws are maturing
By Richard Bird, Harshavardhan Ganesan, Fan Li
IN BRIEF
In recent years, many countries across Asia have either rolled out new comprehensive privacy laws or made significant amendments to existing regulations. Notable examples include China, India, Indonesia, Japan, Malaysia, South Korea, Sri Lanka, Thailand, and Vietnam. Currently, Indonesia, India, and Malaysia are working toward the full implementation of their newly amended laws. Additionally, Australia has announced the first phase of a comprehensive reform of its Privacy Act after a thorough government review.
title
Common themes in Asian privacy laws
- Consent remains the primary legal basis for processing personal data in China, India and Vietnam. In addition, Australia, China, Malaysia, Philippines, Taiwan and Thailand all require consent for the collection of sensitive personal data (and this will require a separate reputational assessment to be made under Vietnam’s new Personal Data Protection Law). Deemed consent is also a permitted legal basis in Singapore (subject to certain constraints), and to a more limited degree in India as well.
- Indonesia, the Philippines, Singapore and Thailand permit data processing based on an organization’s legitimate interests. China, Indonesia, Korea, Malaysia, the Philippines, Singapore, Taiwan and Thailand allow processing where necessary for the performance of a contract with the data subject. Clarification is needed whether Vietnam will also allow processing on this basis under the new law, in particular for online services. Neither legal basis is available for the processing of sensitive personal data in those countries that require consent.
- While South Korea also permits processing based on legitimate interests, the GDPR standard (and that adopted elsewhere in Asia) it flipped by instead requiring that the organization’s legitimate interests clearly override an individual’s rights in order for this legal basis to be relied upon.
- GDPR-style data subject rights have been widely adopted across Asia, particularly the rights to access and rectification, erasure and cessation of processing. The right to object to automated processing (China, Indonesia, Philippines and Vietnam (pending)) and the rights of data portability are less well cemented at this point in time. Only China, the Philippines and South Korea grant both (the portability right is not yet in force in Korea). Singapore and Malaysia have also recently extended their data subject rights to include a right of portability, although neither amendment is in effect yet.
- Privacy impact assessments are either required or recommended in many Asian countries – although the specific triggers for these assessments vary.
- Mandatory breach reporting obligations are the norm across the region (as discussed further below), with an additional annual security incident reporting requirement in the Philippines. Reporting timelines typically follow the GDPR standard of 72 hours. Several countries require organizations to implement formal security incident management processes (eg China, Indonesia and Malaysia) as a specific organizational measure to protect personal data, and this has been proposed in Australia as well.
- Maximum penalties range quite considerably across the region, although with maximum penalties set as a percentage of revenue/turnover having recently been introduced in several countries (eg China, India, Indonesia and Singapore) and proposed in Australia. Overall, both maximum and awarded penalties are trending markedly upwards.
- Varied rules on cross-border data transfers are also increasing compliance burdens on multinational companies (see Chapter 2 for recent developments in the related rules in Asia).
New privacy rules have been taking shape across Asia the past few years. While there is a good degree of conceptual alignment with the GDPR, no country has taken a copy and paste approach either, and in some areas there is significant departure.
Richard Bird, Partner
Yet significant divergence in Asian privacy laws, too
While Asia’s privacy laws reflect a relatively high degree of general consensus in approach (as outlined above), each has its unique requirements and idiosyncrasies. These points of difference can have significant practical impacts on compliance programs.
The absence of any true harmonization in the permitted legal basis for processing, and the greater reliance on consent as the primary and preferred basis for processing creates a significant impediment by itself to organizations taking a single regional approach to privacy compliance.
It is important that international companies maintain awareness of all important local requirements in those Asian jurisdictions in which they operate, given the significant penalties that attach to non-compliance in many, and the generally increasing levels of enforcement also.
For examples, while it was noted above that most countries in Asia have either introduced or are proposing (ie Malaysia) mandatory data breach reporting requirements, the basis for reporting may vary significantly from one jurisdiction to the next.
There are notable differences in data incident reporting thresholds across the region – harm or scale standards are often set up differently, for example, or with differing deeming criteria. In other jurisdictions, reporting requirements can be triggered depending on the nature of the incident, for example whether it involves unauthorized access from outside the organization. Specific sectoral reporting obligations may also apply.
The assessment of reporting requirements for data security incidents that implicate personal data that was either collected in or relates to the residents of multiple countries/territories is made more complex still by the large amount of variability in the jurisdictional basis for the application of local law to data that is processed in another country or for purposes related to activities in another country (eg an overseas purchase or booking). Mandatory (ie standard form) contractual mechanisms for cross-border data transfers may include their own reporting obligations on either transferor or transferee (or both).
These assessments also need to be made against relatively strict reporting deadlines, typically within a reporting window of 72 hours or less. The prevailing standard for reporting to privacy authorities and for notifying individuals can be different within a single jurisdiction.
An early report in one country – reflecting a more limited understanding of the incident available at the time – may impact the reporting strategy in another country where the report is due later. Reporting may precipitate a privacy authority to start an investigation before reports have been filed in other countries. Those earlier filed reports and regulatory submissions may also be discoverable in the context of investigatory processes and court proceedings in other countries around the world. Risk calculations may therefore need to be made.
Given the pace of change in privacy laws in Asia, international companies active in the region should make it a priority to stay updated.
Fan Li, Senior Associate
Practical implications for businesses
Given the rapid evolution of privacy laws in Asia, it is advisable for organizations to take stock of the increasing compliance burden by conducting a gap analysis and updating existing data protection notices and policies and their internal technical and organizational controls, especially if these have not been reviewed in the past few years. Many of the new or amended laws in the region also require a data protection officer (DPO) to be appointed.
Conducting regular staff training will be another important measure to take to ensure that the requirements of new laws and internal policies are well understood and embedded in organizational processes.
Whereas in the past Asia may not always have been at the forefront of companies’ minds in their global privacy compliance programs, increasing fines and enforcement call for a sharpened focus on the region.
Harshavardhan Ganesan, Associate
Looking Ahead
Exciting changes are on the horizon across several countries in Asia.
- In India, the Digital Personal Data Protection Act (DPDP) passed in August 2023 and is set to be enforced soon now that the general elections have concluded. One key aspect to watch is how the government will define ‘significant data fiduciaries.’ These organizations will face additional responsibilities, including conducting regular privacy impact assessments, undergoing external audits, and appointing a DPO who must be based in India. This DPO will report directly to the board and act as the main contact for grievance redressal under the DPDP. The government will determine which data fiduciaries are deemed ‘significant’ based on factors like the volume and sensitivity of personal data processed and the associated risks. Additionally, keep an eye out for the government’s forthcoming ‘blacklist’ of countries where organizations won’t be allowed to transfer personal data.
- Malaysia’s parliament approved substantial updates to the Personal Data Protection Act in July 2024. The government is also working on new rules regarding data breach reporting, DPO appointments, and the right to data portability.
- Vietnam has recently announced a draft Data Law. This law takes cues from China’s regulations, including stricter protections for ‘core’ and ‘important’ data, along with a security assessment process for data exports. A new Personal Data Protection Law is also set to take effect on January 1, 2026, reinforcing most provisions from the existing Decree 13 while adding several new requirements.
- In Japan, the Act on Protection of Personal Information is under a three-year review. The Personal Information Protection Commission shared an interim summary in June 2024, hinting at proposed reforms concerning biometric and children’s data. They plan to ban certain improper uses of personal data and expand individuals’ rights to request the suspension of their data usage.
- Australia has taken the first steps toward implementing a series of changes to its Privacy Act. The first round of amendments was introduced in mid-September 2024, and the government is expected to roll out many of the 166 reforms suggested in the Attorney-General’s 2023 review of the law.
2025 Data law trends
- 01. AI governance takes center stage
- 02. International data transfers are under the spotlight
- 03. A new wave of cyber threats is here
- 04. New global regulations are changing our digital operations
- 05. Tougher enforcement is reshaping data and privacy compliance
- 06. US State consumer privacy laws are expanding
- 07. Asia’s privacy laws are maturing
- 08. New EU data access regulations are shaping the future