Characteristics of the Current Asian Landscape: Commonalities and Differences

By the end of 2023, privacy laws in Asia (East, Central, and South) and the Pacific are likely to be in force in 24 jurisdictions, a 25% increase in just the last two years. In 2022, several key jurisdictions in the region—China, Thailand, Indonesia, and Sri Lanka—either adopted or are in the process of implementing comprehensive privacy laws for the very first time. India and Vietnam are expected to join their ranks in the coming year. At the same time, jurisdictions with mature privacy regimes such as Australia, Japan, Korea, New Zealand, and Singapore continue amend their laws to align them more closely with European privacy rules.

While all of these laws contain the same core data protection elements found in virtually every privacy law in the world, they each have their own specific rules that differ from each other and from those in other regions. In contrast to the European Union, the region is characterized by varied legal systems and historical differences that make it impossible to generalize about the laws across Asia and the Pacific. It is important to take these differences into account when developing global or regional privacy compliance programs.

The following provides a high-level overview of the commonalities and differences among the 22 jurisdictions in the region that now have data privacy laws.[1] The newest laws are in Indonesia and Sri Lanka.

Scope. Most of the laws in this region apply to processing in-country only. However, nine now have extraterritorial provisions that are similar to or exceed the scope of the EU’s General Data Protection Regulation (GDPR) extraterritorial provisions: Australia, China, Indonesia, Japan, New Zealand, the Philippines, Sri Lanka, Taiwan, and Thailand.

Cross-border Transfers. Similarly, more than three-quarters (19) impose restrictions on cross-border transfers of personal data. However, the similarities end there, because the legal bases for transfers vary in terms of adequacy, consent (or another legal basis like legal requirements), and/or contracts (or binding corporate rules). With the exception of Japan, which recognizes the European Economic Area (EEA) member states as providing adequate protection, no other jurisdiction in the region has issued a list of adequate jurisdictions or, with the exception of New Zealand, model contractual clauses. Moreover, New Zealand, Japan, and most recently South Korea are the only countries in region to be found adequate by the European Union (EU). Taiwan is currently seeking to obtain an EU adequacy decision.

The laws in Hong Kong, Nepal, and Taiwan do not restrict cross-border transfers of personal data.

Breach Notification. Almost two-thirds (15) require notification in the event of a data breach. While a number of laws only require that notice be provided to individuals and/or to the data protection authority (DPA) “promptly” or “without delay,” others require notification within prescribed time periods. These time periods vary widely, from three-to-five days, to 72 hours, to six hours.

Legal Bases for Processing. Almost two-thirds of the laws (14) do not permit processing on the basis of legitimate interests. The range of available legal bases varies widely from one jurisdiction to another. Only eight permit processing on the basis of legitimate interests.

Individual Rights. All of the laws provide access and correction rights. More than half of the laws (13) provide erasure rights but only the laws in five jurisdictions provide data portability rights: China, Mongolia, the Philippines, Singapore, and Thailand. The timeframes for responding to Individual Rights requests also vary widely: five laws require responses to rights requests within 30 days or more; four within 15–21 days; two within 10 days; and seven within 1–7 days. Six do not specify a specific time period.

Data Protection Officer (DPO). Half (11) require the appointment of a DPO: China, Indonesia, Japan, Kazakhstan, Korea, Mongolia, New Zealand, the Philippines, Singapore, Sri Lanka, and Thailand.

Data Localization Requirements. Three jurisdictions with comprehensive privacy laws impose data localization requirements. Kazakhstan’s privacy law requires companies to store their data locally. China’s Personal Information Protection Law requires organizations that process high volumes of personal data and operators of critical infrastructure to store personal data within China. The Uzbek law requires owners and/or operators to process personal data of Uzbek citizens only with technical means physically located in Uzbekistan. Such technical means must be registered in the State Register of Personal Data Databases. In addition, this requirement also applies to the processing of personal data using information technologies, including through the internet. In addition, Vietnam, which has not yet enacted an omnibus privacy law, imposes data localization requirements through its Cybersecurity Law on Vietnamese domiciled entities that are: (i) functioning as service providers in the telecommunications network or internet or providing value added services in cyberspace; and (ii) processing personal data of Vietnam users, data about the relationship of users in Vietnam, or data created by users in Vietnam. These data localization requirements also apply to foreign (offshore) companies in nine specified sectors under specified conditions.

Registration. While the trend around the world is to minimize registration requirements, seven laws in the region require organizations to register processing activities with a data protection authority: Kazakhstan, Kyrgyzstan, Macao, Malaysia, the Philippines, Tajikistan, and Uzbekistan. Three of these jurisdictions require controllers and processors to register.

Data Protection Impact Assessments (DPIAs). Most laws in the region do not require organizations to carry out DPIAs. DPIAs are required only in China, Indonesia, Singapore, South Korea, Sri Lanka, and the Philippines.

Enforcement. To-date, enforcement of data privacy laws in this region has been the most active in Australia, Hong Kong, Japan, Singapore, and South Korea but, with the enactment of new and amended laws with increased penalties, enforcement will likely increase. China, one of the newest jurisdictions to enact a privacy law, has already acted swiftly to show its determination to enforce its privacy rules. In July 2022, the Cyberspace Administration of China (CAC) imposed major fines on a ride hailing operator and its senior management for alleged violations of the Cyber Security Law, Data Security Law, and Personal Information Protection Law (PIPL) in its handling of personal information and other relevant data. The company itself was fined RMB 8.026 billion (approximately US$ 1.19 billion) and its chairman and president were each fined RMB 1 million (approximately US$ 148,000).

[1] The following jurisdictions have data privacy laws: Australia, China, India (Privacy Rules under the Information Technology Act), Indonesia, Hong Kong, Japan, Kazakhstan, Kyrgyzstan, Macao, Malaysia, Mongolia, Nepal, New Zealand, the Philippines, Singapore, South Korea, Sri Lanka, Taiwan, Tajikistan, Thailand, Turkmenistan, and Uzbekistan.