The challenge for anyone doing business in the Asia Pacific region is the ever-expanding number of countries initiating data privacy/cybersecurity requirements in the region, some with significant penalties for failure to follow. It would be one thing if they lined up to the GDPR perfectly, but each seems to have its own flavor, unique requirements and purpose. Several have standard GDPR obligations, like data subject notifications, consent requirements, retention and security requirements. But several have unique applications, such as:
- The lack of legitimate interests as a legal basis for processing, such as in China, Vietnam and India
- Broader restrictions on outbound transfers of personal data
- Local language specifications for notices and consents, as well as local representative requirements
- Heightened concerns over collection of national identification information
- The application of data privacy laws to the personal data of citizens living abroad
- Each jurisdiction with its own definition of what is a data breach and when/if/to whom it is notifiable
Below, we have prepared a comparison of the regional data privacy/cybersecurity laws across a set of consistent categories, such as:
- Obligations on collecting/handling/transporting data
- A data subject’s right to query/modify
- Cross-border obligations
- Breach notification requirements
- Penalties
We have also included whether a jurisdiction allows discovery and/or class action litigation, as that can factor in risk considerations.
Please click the link below on your jurisdiction of interest.
- Australia
- China
- Hong Kong
- India
- Indonesia
- Japan
- Malaysia
- Philippines
- Republic of Korea
- Singapore
- Taiwan
- Thailand
- Vietnam
Name of law: The Australian Privacy Act 1988 (APA), with Notifiable Data Breach Scheme (22 February 2018).
Supervisory authority: Office of the Australian Information Commissioner (OAIC). Discovery and class actions permitted.
Scope of application/extraterritoriality: Private sector organisations with more than AUD $3 million (approximately USD 1.92 million) annual turnover and federal government agencies. Applies to entities outside Australia with an Australian link.
Controller/processor distinction: No.
Sensitive personal data: Can only process sensitive personal data with consent unless required by law. Government IDs specially protected.
Lawful bases for processing: Consent, required or authorised by law, necessary to protect health or safety or is in the public interest.
Security requirement: Must take reasonable steps to protect information.
Data subject rights: Yes.
Cross-border transfers: Must take reasonable steps to ensure recipient will meet APA or rely on a foreign jurisdiction with analogous privacy laws that an Australian could enforce. Liability for failure, unless individual can enforce rights consistent with the APA or with consent.
Data protection officer/local representative requirement: Not mandatory.
Registration/filing/approval requirement: No.
Breach notification: Required to individual and OAIC when unauthorised disclosure (includes access) or loss of personal information likely to result in serious harm to individuals. Remedial action may remove serious harm. An assessment is required to be completed within 30 days. Notification is required as soon as practicable after a breach is identified.
Employment context: Employee personal data is generally excluded.
Minors: Persons above 15 are presumed to have capacity to consent, but organisations must assess capacity on a case-by-case basis for persons under 18 years of age. Parental or guardian consent required if no capacity.
Direct marketing: Only with consent or reasonable expectation and with an opt-out option.
Any special/unique local requirements to note:
Penalties: Penalties up to AUD $444,000 (individual) or US$2.2 million (corporations) under the Privacy Act
Private right of action:
Our team: Charmian Aw and Connor McClymont
Name of law: Personal Information Protection Law (effective November 2021) and various implementing regulations and rules thereunder (including industry-specific regulations).
Supervisory authority: The Cyberspace Administration of China (CAC) is the primary supervisory authority. Other regulatory authorities, such as the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS) and the State Administration for Market Regulation (SAMR), as well as industry-specific authorities, are involved in enforcements.
Scope of application/extraterritoriality: Has extra-territorial application.
Controller/processor distinction: Yes.
Sensitive personal data: While sensitive personal information is not defined in detail, it refers to the personal information that is likely to result in damage to the personal dignity of any individual or to their personal or property safety once disclosed or illegally used. Examples include biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14.
Lawful bases for processing: Processing only under various legal bases, which does not include legitimate interest.
Security requirement: Appropriate security measures must be taken, such as formulating compliance program, data classification, taking technical security measures (e.g. encryption and de-identification), developing access control and conducting employee training and implementing a cyber-incident security response plan.
Data subject rights: Data subject rights to access/correct/delete/transfer personal information, request informed notification for consent and impose limits on or reject processing of their personal information.
Cross-border transfers:
Any controller exporting personal information must rely upon one of the following three mechanisms:
- Pass a CAC security assessment: A critical information infrastructure operator (CIIO), or a controller who processes large amounts of personal information (specific criteria have been provided in subordinate regulations issued by the CAC) must localise the personal information, unless they clear the CAC security assessment.
If a controller is not required to pass a CAC security assessment, it may choose from one of the following:
- Pass a qualified third-party certification.
- Conclude a standard contract on personal information export (Standard Contract) based on the template formulated by the CAC. An executed Standard Contract must be filed with the provincial level CAC within 10 business days from its effectiveness.
Other requirements include conducting a personal information protection impact assessment on the export, providing proper notice on the personal information export, obtaining separate consent, etc.
No transfer to foreign law enforcement or for a judicial proceeding is allowed without approval of Chinese authorities.
Data protection officer/local representative requirement:
- Offshore entities must have a data privacy representative (or agency) in China and notify the authorities
- Data privacy officer is required when data processed exceeds a quantity (yet to be specified by the CAC)
Registration/filing/approval requirement: Yes, please refer to the cross-border transfers section above.
Breach notification: Breach notification to authorities and data subject where personal information has been or may be divulged, tampered with or lost. Notification to the data subject is not required if harm to the data subject can be avoided but may be ordered by the authorities if such authorities believe that harm to the data subject may still be caused.
Employment context: No special rules currently. Data subjects in an employment context will be treated the same as those in a non-employment context.
Minors: Personal information of a minor under the age of 14 is deemed as sensitive personal information. Parent’s or legal guardian’s consent is needed.
Direct marketing: Direct marketing activities (including advertisement through emails and text messages) require explicit consent from the individuals, and a company should offer a way to opt out.
Any special/unique local requirements to note:
- See the section of cross-border transfers above
Penalties:
- Up to 5% of prior year’s turnover or RMB50 million (approximately US$7 million)
- May receive an order to cease services or restrict export of data or cancellation of business licence
- Person directly in charge and other persons directly liable may be subject to fines up to RMB100 million (approximately US$14 million)
Private right of action: Class action is not common, but data subjects may sue and the burden of proof shifts. No discovery (but seizures and broad duty to cooperate with the government).
Our team: Scott Warren, Lindsay Zhu and Katherine Fan.
Name of law: The Personal Data (Privacy) Ordinance (PDPO), latest amendment 1 October 2022.
Supervisory authority: Privacy Commissioner for Personal Data.
Scope of application/extraterritoriality: No, applies to data users with operations controlled in or from Hong Kong.
Controller/processor distinction: Yes, distinction between a data user and a data processor.
Sensitive personal data: No.
Lawful bases for processing: Prior notification required for transfer to third parties.
Security requirement: Yes, all practicable steps shall be taken to ensure that any personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or use.
Data subject rights: Right of access and right of correction.
Cross-border transfers: Not currently (relevant section not yet in force).
Data protection officer/local representative requirement: No.
Registration/filing/approval requirement: No.
Breach notification: Not currently.
Employment context: No special rules currently. Data subjects in an employment context will be treated the same as those in a non-employment context.
Minors: No special rules currently.
Direct marketing: Consent (including an indication of no objection) should be obtained for direct marketing purposes.
Any special/unique local requirements to note: There are provisions that criminalise doxxing acts and provide the Privacy Commissioner for Personal Data with statutory powers to conduct criminal investigations and enforce the law, including the powers to serve cessation notices to demand actions to cease or restrict disclosure of doxxing contents.
Penalties: Enforcement notices may be issued, and a failure to comply could attract a fine of up to HKD50,000 (approximately US$6,500 as of 19 June 2023) and two years’ imprisonment for a first offence. Contravention of the direct marketing requirements could attract a fine of up to HKD1 million (approximately US$128,000) and five years’ imprisonment.
Private right of action: Yes. No class action. Can have discovery.
Our team: Nick Chan and Charmian Aw.
Name of law: Digital Personal Data Protection Act.
Supervisory authority: Data Protection Board.
Scope of application/extraterritoriality: Applies to processing within India, and processing outside India if in connection with any activity relating to the offering of goods or services to individuals in India.
Controller/processor distinction: Yes, controllers are data fiduciaries and processors are data processors.
Sensitive personal data: No specified definition.
Lawful bases for processing: Consent from data subjects, or legitimate uses, which include (a) where the data principals voluntarily provide their personal data and have not indicated their objection to the data fiduciaries’ use of that data; (b) to fulfil any legal/judicial obligations as specified; (c) for a medical emergency or health service; and (d) employment.
Security requirement: Yes, reasonable security must be accorded to protect personal data.
Data subject rights: Yes, right to withdraw consent, right of access, right of rectification, right to erasure and right to grievance redressal.
Cross-border transfers: No, unless specifically restricted by the Indian government.
Data protection officer/local representative requirement: Only significant data fiduciaries need to appoint a data protection officer. A significant data fiduciary will be classified as such if they routinely process large volumes of personal data.
Registration/filing/approval requirement: No.
Breach notification: Yes, and timelines and other requirements will be specified in further rules to be issued. Must report cybersecurity incidents (including data breaches) to the Computer Emergency Response Team (CERT-In) within six hours.
Employment context: Processing for employment is considered a legitimate use for which consent is not required.
Minors: A minor who is less than 18 years of age cannot give valid consent, and their parent or legal guardian’s consent is needed.
Direct marketing: No.
Any special/unique local requirements to note: Not applicable.
Penalties: Specified contraventions can attract a financial penalty of up to INR250 crores (approximately US$25 million) per instance.
Private right of action: No.
Our team: Scott Warren and Charmian Aw.
Name of law: Law No. 27 of 2022 concerning Personal Data Protection.
Supervisory authority: Personal Data Protection Agency to be formed, but the Ministry of Communications and Informatics will be the relevant authority in the interim.
Scope of application/extraterritoriality: Yes. Applies where processing has legal consequences (i) in Indonesia, or (ii) involves data subjects who are Indonesian citizens even if these individuals are outside of Indonesia.
Controller/processor distinction: No.
Sensitive personal data: Includes health, biometric, genetic data, sexual life/orientation, political views, criminal records, minors and personal financial data. Its processing may require a data protection impact assessment where a high risk is posed to data subjects, and a data protection officer (DPO) may need to be appointed (see trigger conditions below).
Lawful bases for processing: (i) Consent (explicit and in written form) from the data subject; (ii) necessary for performance of the contract of which the data subject is a party or pursuant to their request; (iii) necessary to comply with legal obligation; (iv) necessary to protect the data subject’s vital interests; (v) necessary for public interest; or (vi) necessary for legitimate interests balancing the rights of the organisation and data subject.
Security requirement:
- Adopt technical and operational measures of security
- Adopt risk-based approach to determine level of appropriate security for personal data
- Controllers to prevent personal data from unlawful access
- Other measures may be specified in subsequent regulations
Data subject rights:
- Right to withdraw consent
- Right of access
- Right to rectification
- Right to object to processing
- Right to request deletion
- Right to object to automated decision-making
- Right of data portability.
Cross-border transfers: (i) Recipient country has an equal or higher level of personal data protection than Indonesia, or (ii) there are binding data protection safeguards for the transferred data, or (iii) consent has been obtained from the data subjects.
Data protection officer/local representative requirement: Yes, if processing is for public service purposes, involves large-scale, frequent and systematic monitoring or personal data, or involves large-scale processing of specific personal data or data related to a person’s criminal activity.
Registration/filing/approval requirement: Yes, for any local or foreign operator of an electronic system, that provides services or conducts business or operates an electronic system used/offered in Indonesia.
Breach notification: Yes. Must notify within three days to the relevant authority and data subjects.
Employment context: Same as for other data subjects. Consent is recognised as a valid legal basis for processing.
Minors: For persons under 18 years of age, parental or legal guardian consent is needed.
Direct marketing: Opt-in consent is required.
Any special/unique local requirements to note: Consents and notices need to be in the Indonesian language.
Penalties: 2% annual revenue.
Private right of action: Yes.
Our team: Charmian Aw and Nick Chan.
Name of law: The Act on the Protection of Personal Information (2003) and amendments (last implementation April 2023 ). Revised guidelines released September 2022.
Supervisory authority: Personal Information Protection Committee.
Scope of application/extraterritoriality: Affirmative consent is required for the collection of sensitive personal information. Usually, must get informed consent with details and have a contract before providing to a third party. However, third party excludes sharing with a processor for a designated purpose. Broader initial consent possible if notified via a Privacy Policy and Website Notice.
Controller/processor distinction: Those terms are not used, but the terms that essentially equate are personal information handling business operator (essentially controller) and entrusted party (essentially processor).
Sensitive personal data: Special care-required personal information includes race, creed, social status, medical history, criminal record (including damage received from one) or as prescribed by cabinet order.
Lawful bases for processing: Consent (through notification) and performance of a contract remains the primary legal bases for processing most personal information. Note: there is no legitimate interest basis under Japan law. Sensitive personal information has heightened consent requirements.
Security requirement: Must establish an organisational structure for personal information protection (policies, DPO), implement tangible measures to protect personal information (periodic testing, etc.) and training.
Data subject rights: Broad rights similar to GDPR.
Cross-border transfers: Transfers may only be made to countries with an adequate level of data privacy protection or where sufficient contractual obligations exist with the data recipient. Informed consent generally required.
Data protection officer/local representative requirement: Need to identify to whom data subjects should direct their queries.
Registration/filing/approval requirement: None.
Breach notification: Three to five days to PIPC when leakage, loss, damage or tampering with data that is material (sensitive data, potential property damage, perpetrator’s unlawful purpose, 1k DS). DS notification of material breach by letter or email as soon as possible after the incident, factoring in the implementation of countermeasures.
Employment context: The Japan APPI applies to employees.
Minors: The age of consent in Japan remains at 18.
Direct marketing: Should provide an opt-out clause.
Any special/unique local requirements to note: MyNumber (National ID) has heightened collection/storage/breach notice regulations. Reasonable steps required, including testing and employee supervision, to secure personal information.
Penalties: Last amendment raises to up to approximately US$1 million and/or one year in prison.
Private right of action: Yes, but no class action.
Our team: Scott Warren and Miki Kamiya.
Name of law: Personal Data Protection Act 2010 (PDPA).
Supervisory authority: Personal Data Protection Department (PDPD), under the Ministry of Communications and Multimedia.
Scope of application/extraterritoriality: Applies to organisations located in Malaysia or located outside of Malaysia but offering goods and services within Malaysia.
Controller/processor distinction: Yes.
Sensitive personal data: Includes political opinions, religious/philosophical beliefs, genetic data, biometric data, health data and criminal convictions.
Lawful bases for processing: Consent, necessary for contract performance, necessary to comply with legal obligation, necessary to protect vital interests of a natural person, necessary for the exercise of any functions conferred on any person by law and necessary for administration of justice.
Security requirement: Yes. Reasonable security including technical, physical and organisational measures.
Data subject rights: Right to withdraw consent, right of access, right of rectification, right to object to processing and right to opt out of direct marketing.
Cross-border transfers: There is a draft whitelist of countries that personal data from Malaysia can be transferred to, which is pending.
Data protection officer/local representative requirement: No.
Registration/filing/approval requirement: Yes, for organisations under Personal Data Protection (Class of Data Users) Order 2013, including banks, insurers, healthcare institutions, tour operators, direct sales businesses, higher education institutions, and utilities and transportation service providers.
Breach notification: Not currently.
Employment context: No special rules currently. Data subjects in an employment context will be treated the same as those in a non-employment context.
Minors: A minor who is less than 18 years of age cannot give valid consent, and their parent or legal guardian’s consent is needed.
Direct marketing: There are specific rules on consent for direct marketing, including via online channels, email, telephone, SMS and post.
Any special/unique local requirements to note: Notices and consents need to be in a bilingual form (English and Bahasa Malaysia).
Penalties: Fine of up to MYR300,000 (approximately US$65,000 as of 19 June 2023), and/or up to two years’ imprisonment, for a breach of the PDPA. Fine of up to MYR500,000 (approximately US$108,000) and/or three years’ imprisonment for failure to register with the PDPD.
Private right of action: Yes.
Our team: Charmian Aw.
APAC Legislation Tracker: Philippines
Name of law: Data Privacy Act 2012 (DPA).
Supervisory authority: National Privacy Commission (NPC).
Scope of application/extraterritoriality: Applies to organisations located in the Philippines, or that uses equipment in the Philippines for processing or maintains a presence in the Philippines. The law also applies to any Philippine citizen or resident where the processing entity, even if it is not itself based in the Philippines, has a link with the Philippines, for instance:
- There is a contract entered into in the Philippines
- The entity has central management and control in the Philippines
- The entity in the Philippines is a branch, office or subsidiary with its parent or affiliate having access to personal data
- The entity carries on business in the Philippines
- The personal data was collected or held by an entity in the Philippines
Controller/processor distinction: Yes.
Sensitive personal data: Race or ethnicity, political opinions, religious/philosophical beliefs, genetic data, health data, criminal convictions, sex life or orientation and government identification number.
Lawful bases for processing: Must have a legitimate purpose (such as execution of a contract) and/or free, specific and informed consent. Detailed privacy notice requirements. Many must register the data processing systems with the NPC.
Security requirement: Yes, reasonable security including technical, physical and organisational measures.
Data subject rights: Right to withdraw consent, right of access, right of rectification, right to erasure, right to object to processing, right to data portability and right to indemnity.
Cross-border transfers: Transfers originating from the Philippines to a jurisdiction outside the Philippines requires that there be approval standard contractual clauses or binding corporate rules in place.
Data protection officer/local representative requirement: Yes.
Registration/filing/approval requirement: Yes, for organisations with at least 250 employees, that processes at least 1,000 individuals’ sensitive personal data, or is within a designated sector and as specified by the NPC (e.g. finance, medical, education and business process outsourcing).
Breach notification: Yes, to NPC and data subject within 72 hours, if the breach involves sensitive personal data or any data that can be used for identity fraud, and the unauthorised acquisition will likely give rise to a real risk of serious harm to a data subject.
Employment context: Employees would be treated differently in the context of objections to processing/withdrawal of consent. When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data, unless: (a) the personal data is needed pursuant to a subpoena; (b) the collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject.
Minors: A minor who is less than 18 years of age cannot give valid consent, and their parent or legal guardian’s consent is needed.
Direct marketing: Yes, prior opt-in consent is needed for SMS marketing.
Any special/unique local requirements to note: There are detailed privacy notice requirements, and a mandatory registration requirement with the NPC that will apply to many data processing systems, particularly given the Philippines’ prominence as a hub for business process outsourcing.
Penalties: Fines ranging between 0.5% to 3% of annual gross income for grave infractions, fines ranging between 0.25% to 2% of annual gross income for major infractions, fine of Philippines pesos 5 million (approximately US$95,000 as of 19 June 2023) for other breaches of the DPA, and/or six years’ imprisonment.
Private right of action: Yes.
Our team: Scott Warren and Charmian Aw.
REPUBLIC OF KOREA (SOUTH KOREA)
Name of law: Personal Information Protection Act (PIPA).
Supervisory authority: Personal Information Protection Commission (PIPC).
Scope of application/extraterritoriality: Yes. Applies to (i) organisations located in Korea, (ii) organisations located outside of Korea that are offering goods or services to data subjects in Korea; and (iii) organisations located outside of Korea that are engaged in the monitoring of behaviour of data subjects located in Korea.
Controller/processor distinction: Yes.
Sensitive personal data: Includes race or ethnicity, political opinions, religious/philosophical belief, trade union membership, genetic data, biometric data, health data, sex life or orientation, government identification number and passwords.
Lawful bases for processing: Consent, necessary for contract performance, necessary to comply with legal obligation, necessary to protect vital interests of a natural person and necessary to fulfil a legitimate interest of the controller or third party.
Security requirement: Yes. Appropriate technical, physical and/or organisational security measures must be accorded to personal data.
Data subject rights: Right to withdraw consent, right of access, right of rectification, right to erasure and right to object to processing.
Cross-border transfers: Generally, there is no difference between a transfer to a third party and to a third country outside Korea. Both transfers require that at least one of the lawful bases for processing (see above) applies.
Data protection officer/local representative requirement: Yes, unless an information and communications service provider only employ fewer than five persons or only a small amount of data is processed.
Registration/filing/approval requirement: No.
Breach notification: Yes. Controllers must notify the PIPC and affected data subjects within five days for any breach involving at least 1,000 data subjects. Processors have the same obligations, but typically it is the controller that prepares and makes such notifications.
Employment context: No special rules currently. Data subjects in an employment context will be treated the same as those in a non-employment context.
Minors: A minor who is less than 14 years of age cannot give valid consent, and their parent or legal guardian’s consent is needed.
Direct marketing: Unless there is a pre-existing business relationship, prior opt-in consent is required for direct marketing via online channels, email, telephone/SMS and post.
Any special/unique local requirements to note: Hefty fines have been issued by the PIPC for contraventions of PIPA. There are stringent opt-in consents. In December 2021, the EU reached an adequacy decision for Korea, which means that personal data transfers from the EU to Korea do not require any additional measures.
Penalties: Fine of up to KRW500 million (approximately US$390,500 as of 19 June 2023) for non-compliant handling of resident registration number under the PIPA. Fine of up to KRW50 million (approximately US$39,050 as of 19 June 2023) for violation of the PIPA.
Private right of action: Yes. Representative actions are also recognised.
Our team: Scott Warren and Charmian Aw.
Name of law: Personal Data Protection Act 2012 (2020 Revised Edition) (PDPA).
Supervisory authority: Personal Data Protection Commission (PDPC), under the Infocomm Media Development Authority.
Scope of application/extraterritoriality: Applies to any processing (collection, use or disclosure) in Singapore, even if the organisation does not have a physical presence in Singapore.
Controller/processor distinction: Yes.
Sensitive personal data: Not specifically defined, but there are special rules pertaining to national identification numbers, and prescribed categories of personal data that if compromised in a data breach would be likely to lead to significant impact or harm such as to warrant mandatory notification to the PDPC and/or affected data subjects.
Lawful bases for processing: Includes consent, necessary for legitimate interests, necessary for a business improvement purpose, necessary for an investigation or proceeding or required by other written law.
Security requirement: Yes. Reasonable technical, administrative and physical measures of security must be accorded to personal data.
Data subject rights: Right to withdraw consent, right of access, right of correction and right to portability (pending).
Cross-border transfers: There are several mechanisms for complying with the requirement for cross-border transfers of personal data originating from Singapore, with a legally binding contract being the most common.
Data protection officer/local representative requirement: Yes, every organisation must appoint at least one DPO.
Registration/filing/approval requirement: No.
Breach notification: Yes. Must notify PDPC within three calendar days of discovering a notifiable data breach, and without undue delay to an affected data subject.
Employment context: There are two additional exceptions to consent, where processing is necessary for an evaluative purpose, or reasonable to manage or terminate an employment relationship.
Minors: Consent from a parent or legal guardian is required to process personal data of a minor under 13 years of age.
Direct marketing: Prior clear and unambiguous opt-in consent is required for telemarketing via phone/SMS/fax, if the relevant Singapore number is subscribed to the Do Not Call Registry.
Any special/unique local requirements to note: Business contact information is excluded from the PDPA.
Penalties: Fine of up to 10% annual domestic turnover.
Private right of action: Yes. No class action.
Our team: Charmian Aw and Nick Chan.
Name of law: Personal Data Protection Act (PDPA).
Supervisory authority: Personal Data Protection Office (PDPO).
Scope of application/extraterritoriality: Applies to any organisation located in Taiwan or that collects, processes or uses personal data in Taiwan, or applies to the government and the non-government agencies outside Taiwan when they collect, process or use the personal data of Taiwanese citizens.
Controller/processor distinction: Yes.
Sensitive personal data: Includes data pertaining to a natural person’s medical records, healthcare, genetics, sex life, physical examination and criminal records.
Lawful bases for processing:
For a government agency:
- Where it is within the necessary scope to perform its statutory duties
- Where consent has been given by the data subject
- Where the rights and interests of the data subject will not be infringed upon
For a non-government agency:
- Where it is expressly required by law
- Where there is a contractual or quasi-contractual relationship between the non-government agency and the data subject, and proper security measures have been adopted to ensure the security of the personal data
- Where the personal data has been disclosed to the public by the data subject or has been made public lawfully
- Where it is necessary for statistics gathering or academic research by an academic institution in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject
- Where consent has been given by the data subject
- Where it is necessary for furthering public interest
- Where the personal data is obtained from publicly available sources unless the data subject has an overriding interest in prohibiting the processing or use of such personal data
- Where the rights and interests of the data subject will not be infringed upon
Security requirement: Yes, appropriate security measures must be accorded to personal data.
Data subject rights: Right to withdraw consent, right of access, right of rectification, right to erasure and right to object to processing.
Cross-border transfers:
When cross-border transfer of personal data is carried out by a non-government agency under any of the following circumstances, the central government authority in charge of the industry concerned may impose restrictions on such transfer:
- Where major national interests are involved
- Where an international treaty or agreement so stipulates
- Where the country receiving the personal data lacks proper regulations on protection of personal data and the data subjects’ rights and interests may consequently be harmed
- Where the cross-border transfer of the personal data to a third country (territory) is carried out to circumvent the PDPA
Data protection officer/local representative requirement: Government agencies are required to assign dedicated personnel to implement security and maintenance measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed.
Registration/filing/approval requirement: No.
Breach notification: If any personal data is stolen, disclosed, altered or otherwise infringed upon due to a violation of the PDPA by a government or non-government agency, the data subject shall be notified via appropriate means after the relevant facts have been clarified.
Employment context: No special rules currently. Data subjects in an employment context will be treated the same as those in a non-employment context.
Minors: No special rules under the PDPA.
Direct marketing: Allowed only if the use is compatible with the specific purpose(s) for which the data was collected. A non-government agency shall cease using personal data for marketing upon the data subject’s objection to such use. A non-government agency, when using the data subject’s personal data for marketing purpose for the first time, shall provide the data subject of the ways that they can object to such use, and the agency shall pay for the fees therefrom.
Any special/unique local requirements to note: Not applicable.
Penalties: Fine of up to NTD500,000 (approximately US$16,200 as of 19 June 2023) for administrative contraventions, or fine of up to NTD1,000,000 (approximately US$32,500 as of 19 June 2023) and/or five years’ imprisonment for criminal contraventions.
Private right of action: Yes.
Our team: Nick Chan and Charmian Aw.
Name of law: Personal Data Protection Act 2019 (PDPA).
Supervisory authority: Personal Data Protection Committee (PDPC).
Scope of application/extraterritoriality: Applies to organisations located in Thailand, organisations located outside of Thailand offering goods or services to data subjects in Thailand and organisations located outside of Thailand but that are engaged in the monitoring of behaviour of data subjects located in Thailand.
Controller/processor distinction: Yes.
Sensitive personal data: Race or ethnicity, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or orientation and criminal convictions.
Lawful bases for processing: Consent, necessary for contract performance, necessary to comply with legal obligation, necessary to protect vital interests of a natural person, necessary for public interest, necessary to fulfil legitimate interests of controller or third party, necessary to prepare historical documents or archives for public interests and for research or statistics where protection measures are in place.
Security requirement: Yes. Appropriate technical, administrative and physical measures of security must be accorded to personal data.
Data subject rights: Right to withdraw consent, right of access, right of rectification, right to erasure, right to restrict or object to processing, right of data portability and right to lodge a complaint with the PDPC.
Cross-border transfers: Transfers of personal data from Thailand are only permitted to a whitelisted jurisdiction, pursuant to approved standard contractual clauses, binding corporate rules, one or more of the lawful bases for processing (see above), or to exercise or defend legal claims.
Data protection officer/local representative requirement: Yes, if there is regular monitoring of large volumes of personal data, or the core activity of the organisation is the processing of sensitive personal data.
Registration/filing/approval requirement: No.
Breach notification: Data controller must notify the PDPC without delay and within 72 hours from its discovery unless an exception applies. For breaches likely to result in a high risk to the rights and freedoms of a data subject, the data controller must notify them without undue delay.
Employment context: No special rules currently. Data subjects in an employment context will be treated the same as those in a non-employment context.
Minors: The consent of a minor’s parent or legal guardian is required, if that minor is younger than 10 years of age, or over 10 but younger than 20 years of age but is not married or has no capacity as a sui juris person in Thailand.
Direct marketing: Prior opt-in consent is required for direct marketing, including via online channels, email, telephone/SMS or post.
Any special/unique local requirements to note: Currently, there is no specified period for a controller to assess/determine whether a data breach is notifiable or not. It is anticipated that the PDPC may issue further clarification or guidance on this issue in due course.
Penalties: Fine of up to THB5,000,000 (approximately US$144,000 as of 19 June 2023). For criminal contraventions, fine of up to THB1,000,000 (approximately US$28,700 as of 19 June 2023) and/or one year of imprisonment.
Private right of action: Yes. Punitive damages of up to two times the actual compensation can be awarded.
Our team: Charmian Aw and Scott Warren.
Name of law: Decree on Personal Data Protection (Decree).
Supervisory authority: Ministry of Public Security (MPS).
Scope of application/extraterritoriality: Applies to organisations located in Vietnam, organisations that process personal data of data subjects located in Vietnam when the data was collected and organisations processing personal data in Vietnam.
Controller/processor distinction: No.
Sensitive personal data: Includes race or ethnicity, political opinions, religious views, health data, sex life or orientation, criminal records, customer information of credit institutions/foreign bank branches/payment intermediary service providers and location data.
Lawful bases for processing: Consent, necessary for contract performance, necessary to comply with legal obligation, necessary to protect vital interests of a natural person or necessary for public interest.
Security requirement: Yes. Appropriate technical, physical and/or organisational security measures must be accorded to personal data.
Data subject rights: Right to withdraw consent, right of access, right of rectification, right to erasure, right to restrict or object to processing, right to edit, view or be provided with copies of personal data and right to complain to supervisory authority.
Cross-border transfers: Must create and submit within 60 days one original copy to Department of Cybersecurity and Hi-Tech Crime Prevention (A05), an authority under the MPS, a dossier of impact assessment for the cross-border transfer of personal data (TIA Dossier) for data transfers from Vietnam overseas.
Data protection officer/local representative requirement: Yes. Must submit information on the DPO in the data protection impact assessment profile (DPIA Dossier) to be filed with the A05.
Registration/filing/approval requirement: Yes, the TIA Dossier and DPIA Dossier (see above).
Breach notification: Not specifically required in the Decree.
Employment context: No special rules currently. Data subjects in an employment context will be treated the same as those in a non-employment context.
Minors: Minors over seven years of age can give consent, but this must be accompanied by their parents/legal guardian’s consent. For minors under seven years of age, only their parents/legal guardians’ consent is required.
Direct marketing: There are special provisions applicable to the marketing and advertising industries. Marketing/advertising providers can only process personal data with data subjects informed, opt-in consent.
Any special/unique local requirements to note: For certain data subject rights, e.g. to restrict/object to processing, rights of access and rectification, and right to erasure, these must be adhered to within 72 hours from the request. Additionally, the Law on Cybersecurity imposes a data localisation requirement on certain businesses.
Penalties: Disciplinary action, administrative sanctions or criminal penalties based on regulations to be issued under the Decree.
Private right of action: Yes, and representative actions are recognised.
Our team: Charmian Aw and Scott Warren.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.