History and overview

Personal data protection regimes in the Asia-Pacific region have evolved later and more slowly compared to Europe; Singapore and Philippines passed its first data protection legislation in 2012, Thailand only adopted its Personal Data Protection Act in 2019 and Indonesia and Vietnam are on the cusp of passing their personal data protection laws.

This is despite the fact that South East Asia is one of the fastest growing regions for digital innovation. That said, its approach to regulation is rapidly maturing with the implementation and enforcement of privacy and data security laws across the region becoming markedly more rigorous and stringent as it plays catch up with the digital economy.

The growth and development of the Asia Pacific economy: why is data privacy so important?

South East Asia is one of the fastest growing regions for digital innovation. For context, digital commerce in the top 6 countries in ASEAN is expected to reach US$90 billion by 2025, a significant increase from the US$5 billion generated in 2015. 

Government focus and support for such development, and a willingness to invest in related infrastructure such as internet connectivity, has facilitated the growth of technology and related sectors. By way of example, Malaysia has established the world’s first Digital Free Trade Zone, Singapore has a Smart Nation vision and Thailand is developing a strategy based on all sectors of its economy becoming digital.

The collection of personal data by countries in the Asia-Pacific region is also expected to grow exponentially as the processing and analysis of large amounts of personal data become possible with digital technologies. Perhaps unsurprisingly, a significant number of countries within the region have identified the need for effective cyber security and data protection legislation to foster and encourage growth and to meet internal and external demand.

Developing trends

One of the clear trends emerging in the region is the movement towards stricter requirements and enforcement (as set out below in further detail). Equally, while the Asia Pacific region has been traditionally perceived as less litigious than Europe and the USA, this is changing as digital adoption increases and governments become more sensitive to the need to protect personal data and confidential information.

As a general comment, employees in the region have become more aware of their rights, and a number of governments in the region have demonstrated a clear intention to not only drive the growth of industry sectors that harness data, but also to protect personal data of employees and other individuals in parallel with that growth.

It is important to remember that each jurisdiction's data protection landscape is different in terms of maturity, sophistication and enforcement. However, it is certain and almost inevitable that Asia's data protection landscape as a whole will evolve into a more heavily regulated setting.

Recent developments

China, Singapore, South Korea, Japan, Australia, Malaysia, and the Philippines have recently updated their data protection compliance rules or will soon be introducing new privacy and cyber security laws. There is a clear emphasis across the region on data security and use of personal data, and a marked emphasis on ensuring compliance coupled with increased sanctions for failure to comply.

  • Singapore's Personal Data Protection Act already includes certain aspects that will familiar to those already operating under the GDPR in Europe, such as mandatory breach notification. In August 2018, the PDPC (Singapore's national regulator) also published advisory guidelines for processing national identification numbers, which are considered highly sensitive and so subject to particularly high levels of protection.
  • Updates to the Data Privacy Act in the Philippines imposed tougher requirements and sanctions for breaches of personal data security, including a compulsory 72-hour personal data breach notification.
  • Australia has put in place similar data protection safeguards, including a mandatory data breach notification scheme (failure to comply can lead to fines of up to US$2 million).
  • China has introduced a particularly comprehensive set of data protection regulations, including legislation covering data anonymisation, big data, overseas data transfers, and information security. For example, an employee's prior consent must be obtained before any processing of their personal information takes place, unless such personal information is anonymized and the individual cannot be re-identified. In addition, data subjects should be informed of the purpose and scope of usage of their private data.
  • Companies who fail to comply with the law potentially face severe financial penalties, possibly including the loss of their rights to conduct business.
  • South Korea’s Personal Information Protection Act, updated in 2016 and again recently, is similar in structure to Europe's GDPR and contains some of the strictest data protection rules in the world, in particular those rules relating to IT networks, for example.

The interplay with European requirements

Whilst there is an argument that early data protection legislation in this region was often heavily influenced by European counterparts, and it is likely that several features of the GDPR have and may continue to be reflected in local legislation across the region, it is striking that a number of Asia Pacific nations are developing their own approach to these matters independent of (and in a number of cases, outstripping) Europe.

Accordingly, there are notable gaps and some important differences between the GDPR and the data protection regimes across the Asia Pacific region. Employers with a presence in both Asia Pacific and Europe would therefore be well-advised to seek specific advice across the region as appropriate.

Employee data: what are the implications?

With a growing recognition of the importance of personal data protection, we are seeing increasing concern over the interplay between employers' obligations pursuant to local legislation and other legal obligations, such as the requirement to maintain employee records and the need to manage and monitor employee activity.

Employers across the Asia Pacific region are also seeing a shift in the attitude of national regulatory bodies and courts, who are increasingly armed with a wide remit and the power to investigate and impose significant sanctions. Employers are also seeing a shift in the attitude and understanding of employees themselves, who are becoming increasingly aware of both how data may be used and their individual rights.

All of this means that employers operating in the Asia Pacific region must increasingly consider the data protection implications, together with related employee relations and regulatory consequences, of their day-to-day activities involving employee data. Data privacy, and in particular the need to appropriately manage, use and store staff personal information, is becoming a critical part of business operations.

This may entail a review of employer structures and systems, and potentially changes to those structures and systems may need to be made as a result. Non-compliance can be costly and lead to serious damages to their reputation as an employer and to their wider company brand.