Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
2022 is a milestone year for data privacy and cyber security laws developments across Southeast Asia.
We set out the key changes as follows:
New data privacy laws in Indonesia
The long-awaited Personal Data Protection Law (“PDPL”) has been in place since October 2022. PDPL is Indonesia’s first omnibus data protection legislation. Organisations will have a 2-year transition period to comply with PDPL.
All existing laws and regulations which regulate personal data protection will remain valid to the extent that they do not contradict the provisions of PDPL (including data localisation requirements under Government Regulations No. 71 of 2019 as data localisation is not dealt with under PDPL). We expect regulations providing guidance about key aspects of PDPL in coming months.
There are similarities and differences between PDPL and the EU General Data Protection Regulation (“GDPR”):
Exemptions from the application of PDPL are similar to those under other jurisdictions, e.g. where personal data is processed for personal or household purposes, and data processing activities for (a) the interests of national defence and security; (b) the interests of law enforcement process; (c) the public interest in the context of state administration; or (d) the interests of supervising the financial services, monetary, payment system sectors, and financial system stability carried out in the context of state administration.
The transfer mechanisms for cross-border data transfers are similar to those in other jurisdictions but are listed in order of priority as follows: (i) adequacy decision (i.e. comparable level of protection); (ii) binding contractual clauses on the overseas data recipient; and (iii) consent from data subjects. This is a significant relaxation from the previous system which require pre- and post-notification to the Ministry of Communications and Informatics. It remains to be seen if the regulator will issue model contractual clauses for (ii) under future regulations.
The new sanctions regime sets out a range of criminal and administrative fines of a range of magnitude depending on the nature of the violation. Criminal sanctions include fines of up to USD400,000 for individuals and USD4 million for corporations plus imprisonment of up to 6 years for individuals. Criminal sanctions may be imposed on the board of directors and beneficial owners of the companies. An offending party may be liable for administrative fines of up to 2% of its annual turnover. Through these sanctions the government is sending a strong message that personal data protection must be taken seriously in Indonesia.
Please refer to our full briefing.
Privacy Laws in Thailand coming together
Multiple guidelines with various effective dates have been introduced in Thailand since the main data protection provisions under the Personal Data Protection Act (“PDPA”) came into full effect on 1 June 2021. Organisations in Thailand should consider the new guidelines to ensure that their data privacy practices remain compliant with the PDPA.
While there is a grandfathering provision under the PDPA which allows data controllers to continue processing personal data that was collected before 1 June 2021, data controllers are required to publicise channels by which data subjects can stop data controllers from doing so.
Decree 53 finally provides some clarity on the Cybersecurity Law
Decree No. 53/2022/ND-CP (“Decree 53”), which took effect on 1 October 2022, clarifies some important aspects of the Law on Cyber Security No. 24/2018/QH14 (“Cybersecurity Law “), including the application of the data localisation requirements to Vietnam domiciled entities and foreign enterprises.
The criteria under the Cybersecurity Law and Decree 53 together provide that the data localisation requirements only apply to Vietnam domiciled entities that are: (i) service providers in the telecommunications network, internet or providing value added services in cyberspace; and (ii) processing personal data of Vietnam users, data about the relationship of users in Vietnam or data created by users in Vietnam. The domestic entity must retain such specified categories of data in Vietnam indefinitely. We understand from the Ministry of Public Security that it is possible to mirror such data in a local server and to keep a copy of the personal data outside of Vietnam.
For foreign enterprises, Decree 53 clarifies that such specified categories of data will need to be stored in Vietnam and a local presence needs to be established only where all of the conditions below are met:
The Cybersecurity Law requires domestic and foreign service providers to store user’s data in Vietnam. This requirement has raised concerns from organisations due to its ambiguity including regarding the scope of data localisation requirements.
While Decree 53 is helpful in clarifying some aspects of the Cybersecurity Law, under Decree 53 a data subject’s consent must always been obtained as there is no other alternative legal basis for processing their data. Further, Decree 53 does not contain any thresholds for notifiable data breaches, which means that all types of data breaches are notifiable to the PDPC.
Are we expecting a complete overhaul of Indian data protection laws?
On 3 August 2022, India withdrew the personal data protection bill introduced in 2019. The scrapped bill had been considered by the Indian Parliament in significant detail with over 80 amendments and 12 recommendations proposed before the withdrawal. A new data protection bill is expected to be presented to the Indian Parliament for approval in December 2022.
Key areas of concern under the scrapped bill include the management of sensitive information and the scope of Indian Government’s access to data.
(i) Emotional distress recognised as actionable loss and damage
The Singapore Court of Appeal has held that emotional distress may constitute actionable “loss or damage” under the Personal Data Protection Act 2012 (“PDPA”). In determining whether emotional distress is a form of loss or damage, the Court of Appeal in Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60 found that a wider interpretation of the PDPA better promotes the purposes of the PDPA and that parliament intended for the enforcement regime of the PDPA to be an effective means by which individuals can enforce their rights to protect their personal data. The Court held that the loss of control of personal data would not constitute loss or damage for the purposes of the PDPA.
(ii) New administrative fine of up to 10% of an organisation’s annual turnover in Singapore
The administrative fine for data breaches under the PDPA, which is up to 10% of an organisation’s annual turnover in Singapore (if annual turnover exceeds SGD 10 million) took effect on 1 October 2022 pursuant to amendments set out in the Personal Data Protection (Amendment) Act 2020. Organisations will be potentially liable for fines for contraventions of the personal data protection requirements under the PDPA (excluding Part 9 and section 48B(1) of the PDPA).
Privacy law reform tabled for parliamentary discussion in Malaysia
Malaysia does not currently have a mandatory data breach notification requirement under its data privacy legislation, the Personal Data Protection Act 2010 (“PDPA”). Reforms to implement a mandatory data breach notification regime were tabled for parliamentary discussion in October 2022.
The proposed mandatory data notification regime was one of 22 recommendations in the PDPA public consultation paper published by the Personal Data Protection Commission (“PDPC”) in February 2020.
The proposed mandatory data breach notification regime will require notifiable personal data breaches to be reported to the PDPC within 72 hours. The PDPC proposes to issue guidelines to assist organisations’ compliance with this new mandatory notification requirement.
Other recommendations tabled for parliamentary discussion are reported to include: (i) imposing a direct obligation on data processors to comply with security principles under the PDPA; (ii) appointing a data protection officer; (iii) enshrining rights to data portability i.e. a data user should transfer personal data of a data subject to another data user in a user-friendly machine readable format at the request of the data subject (if technically feasible); and (iv) a ‘blacklist’ of jurisdictions for cross-border transfers of Malaysia (to replace the current prescriptive ‘whitelist’ system).
Novel approaches in determining fines under data privacy laws
The recent introduction of the NPC Circular No. 2022-01 (“Circular”) on the Guidelines on Administrative Fines sees the Philippines adopting a novel approach in determining fines for breach of the Data Privacy Act 2012.
The Guideline sets out three categories of infractions namely: (i) grave infractions; (ii) major infractions; and (iii) other infractions. Infractions are categorised based on:
(a) the number of data subjects affected;
(b) frequency of the infractions; and
(c) reason for non-compliance (e.g. oversight, recklessness or intentional acts).
“Grave infractions” and “major infractions” carry an administrative fine linked to a certain percentage of the offender’s annual gross income (i.e. 0.5% to 3% and 0.25% to 2% respectively). “Other infractions” are liable for a fine of between Php 50,000 (USD 870) and Php 200,000 (USD 3,500).
Herbert Smith Freehills’ Asia data and cyber team is a regional practice focusing on data privacy, data security and cyber security issues across Asia.
We assist our clients in navigating the complex and evolving data privacy landscape and responding to the full gamut of data protection and cybersecurity issues and events. We work with our clients to come up with legally compliant and commercial solutions to address their data and cyber issues.
We advise on a whole spectrum of issues including privacy audit and gap analysis, data privacy law compliance covering cross-border jurisdictional issue, outbound data transfer, privacy documentation, strategic projects such as implementing privacy compliance programmes and scenario planning, as well as cyber incidents responses. We also advise our clients on data monetisation and data licensing documentation.
“Data Notes” is Herbert Smith Freehills’ data know-how and news blog where you will find the latest legal developments worldwide on all things data, including data protection, privacy and cyber security.
We’ll send you the latest insights and briefings tailored to your needs