Skip to main content

Data privacy regulation in Asia

Data privacy regulation in Asia

In the past three years there has been an explosion of new data privacy regulation across the Asia region. OECD-based data privacy regimes have been brought forward in India, Singapore, Malaysia, the Philippines, South Korea and Taiwan. China, too, now has in force regulations based on the OECD-model, although these apply only to telecommunications and internet service providers. The drivers behind the authorities' new focus on data privacy laws are multiple. There has been a need to legislate for higher data protection standards to encourage greater consumer confidence in the field of e-commerce transactions, as well as to prevent opportunities for potential misuse of personal data, through unauthorized collection, disclosure and use. Additionally, increased data privacy protection requirements in the region may support greater transfer of international data to the region to outsourcing IT and business process service providers.

Our 2014 Data Privacy in Asia guide takes stock of the current state of data privacy law in China, Hong Kong, India, Japan, Singapore, Malaysia, the Philippines, South Korea, Taiwan and Vietnam. The laws in these countries vary in terms of application, requirements and enforcement. In our guide, we have compared the contrasting approaches to data privacy regulation and produced a 'data privacy heat map' that highlights the more challenging regimes from a business compliance perspective on a country by country basis.

The scoring methodology for the 'heat map' takes into consideration a number of factors relevant for businesses' operations, such as: the stringency of consent requirements; restrictions on overseas transfers; data security breach notification requirements; regulation of data processors; separate categories for sensitive personal data; scale of fines for breaches and the aggressiveness of enforcement by the authorities.

Given the recent establishment of several data privacy regimes analysed, the assessment will have to be reviewed regularly as the approaches to interpreting and enforcing the laws become clearer over time. But it is evident, that the diverging approaches to data privacy regulation will likely create significantly different practical effects in their implementation that businesses will have to be aware of.