• Consent remains the primary legal basis for processing personal data in China, India and Vietnam. In addition, Australia, China, Malaysia, Philippines, Taiwan and Thailand all require consent for the collection of sensitive personal data (and this will require a separate reputational assessment to be made under Vietnam’s new Personal Data Protection Law). Deemed consent is also a permitted legal basis in Singapore (subject to certain constraints), and to a more limited degree in India as well.
• Indonesia, the Philippines, Singapore and Thailand permit data processing based on an organization’s legitimate interests. China, Indonesia, Korea, Malaysia, the Philippines, Singapore, Taiwan and Thailand allow processing where necessary for the performance of a contract with the data subject. Clarification is needed whether Vietnam will also allow processing on this basis under the new law, in particular for online services. Neither legal basis is available for the processing of sensitive personal data in those countries that require consent.

• While South Korea also permits processing based on legitimate interests, the GDPR standard (and that adopted elsewhere in Asia) it flipped by instead requiring that the organization’s legitimate interests clearly override an individual’s rights in order for this legal basis to be relied upon.
• GDPR-style data subject rights have been widely adopted across Asia, particularly the rights to access and rectification, erasure and cessation of processing. The right to object to automated processing (China, Indonesia, Philippines and Vietnam (pending)) and the rights of data portability are less well cemented at this point in time. Only China, the Philippines and South Korea grant both (the portability right is not yet in force in Korea). Singapore and Malaysia have also recently extended their data subject rights to include a right of portability, although neither amendment is in effect yet.
• Privacy impact assessments are either required or recommended in many Asian countries – although the specific triggers for these assessments vary.
• Mandatory breach reporting obligations are the norm across the region (as discussed further below), with an additional annual security incident reporting requirement in the Philippines. Reporting timelines typically follow the GDPR standard of 72 hours. Several countries require organizations to implement formal security incident management processes (eg China, Indonesia and Malaysia) as a specific organizational measure to protect personal data, and this has been proposed in Australia as well.
• Maximum penalties range quite considerably across the region, although with maximum penalties set as a percentage of revenue/turnover having recently been introduced in several countries (eg China, India, Indonesia and Singapore) and proposed in Australia. Overall, both maximum and awarded penalties are trending markedly upwards.
• Varied rules on cross-border data transfers are also increasing compliance burdens on multinational companies (see Chapter 2 for recent developments in the related rules in Asia).

Yet significant divergence in Asian privacy laws, too

While Asia’s privacy laws reflect a relatively high degree of general consensus in approach (as outlined above), each has its unique requirements and idiosyncrasies. These points of difference can have significant practical impacts on compliance programs.

The absence of any true harmonization in the permitted legal basis for processing, and the greater reliance on consent as the primary and preferred basis for processing creates a significant impediment by itself to organizations taking a single regional approach to privacy compliance.

It is important that international companies maintain awareness of all important local requirements in those Asian jurisdictions in which they operate, given the significant penalties that attach to non-compliance in many, and the generally increasing levels of enforcement also.

For examples, while it was noted above that most countries in Asia have either introduced or are proposing (ie Malaysia) mandatory data breach reporting requirements, the basis for reporting may vary significantly from one jurisdiction to the next.

There are notable differences in data incident reporting thresholds across the region – harm or scale standards are often set up differently, for example, or with differing deeming criteria. In other jurisdictions, reporting requirements can be triggered depending on the nature of the incident, for example whether it involves unauthorized access from outside the organization. Specific sectoral reporting obligations may also apply.

The assessment of reporting requirements for data security incidents that implicate personal data that was either collected in or relates to the residents of multiple countries/territories is made more complex still by the large amount of variability in the jurisdictional basis for the application of local law to data that is processed in another country or for purposes related to activities in another country (eg an overseas purchase or booking). Mandatory (ie standard form) contractual mechanisms for cross-border data transfers may include their own reporting obligations on either transferor or transferee (or both).

These assessments also need to be made against relatively strict reporting deadlines, typically within a reporting window of 72 hours or less. The prevailing standard for reporting to privacy authorities and for notifying individuals can be different within a single jurisdiction.

An early report in one country – reflecting a more limited understanding of the incident available at the time – may impact the reporting strategy in another country where the report is due later. Reporting may precipitate a privacy authority to start an investigation before reports have been filed in other countries. Those earlier filed reports and regulatory submissions may also be discoverable in the context of investigatory processes and court proceedings in other countries around the world. Risk calculations may therefore need to be made.