Skip to content
Schedule a Call
Call Now

Asia’s Regional Data Protection Regulations and its comparison with the GDPR

Article by Tsaaro

7 min read

Over the recent years, Asian regulators have put rigorous effort into ramping up their data protection regimes. Several Asian countries such as India, China, South Korea, Vietnam, Malaysia, Thailand and Indonesia have introduced or enhanced their existing cybersecurity or data protection laws. Recently, China gave a final read to its Personal Information Protection Law (“PIPL”) and enacted it as its first comprehensive law on data protection in 2021. India, Indonesia and Vietnam are most likely to follow suit in the short term.

The EU’s General Data Protection Regulation (“GDPR”) in 2018 and other similar regulations elsewhere in the world has increased the awareness of the rights of individuals in protecting their privacy and data protection in general. As opposed to the EU, the Asia-Pacific landscape entails numerous legal systems of diverse characters and historical backgrounds, making it close to impossible to generalise how the data protection laws operate in this region. Corporations in these jurisdictions must bear with the intricacies that each prescribes while developing a privacy compliance programme.  

Most of the data protection regimes in Asia are analogous to each other at their core as they are aligned to the globally recognised principles of data privacy; however, a few tweaks have been made to customise them to the specific regional requirements of these States. These countries have drawn inspiration from the EU’s GDPR, but some, on the other hand, have extended the reach of their regional laws beyond that of their European counterparts. 

This article is a high-level overview of the commonalities and differences present in the privacy regimes in the Asia-Pacific region.

Regional comparison of Asian Data Protection regimes – Commonalities and Differences 

To date, twenty jurisdictions in this region have a comprehensive privacy regulation in place. China, Thailand and Uzbekistan are the newest members to join the party. Laws in Japan, Kazakhstan, South Korea, New Zealand and Singapore have been recently amended. They have been included in this overview to get an up-to-date understanding of the difference in privacy regulations of this region. 

  1. Scope – Extraterritorial application

The GDPR applies to organisations “established” in the EU that personal process data, regardless of whether the processing occurs in the EU. Concerning the extraterritorial scope, it applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to the offering of goods or services to individuals in the EU or the monitoring of the behaviour of individuals in the EU. 

Most of the countries in the Asia-Pacific region have laws that prescribe the processing of data within the jurisdictional boundaries of the country. However, seven countries provide extraterritorial provisions that are similar or sometimes exceed the scope of the extraterritorial requirements of the GDPR. Australia, Japan, China, Indonesia, the Philippines, New Zealand and Thailand. 

  1. Cross-border transfer of data 

A majority (sixteen) of the countries in the Asia-Pacific region impose restrictions on cross-border transfers of personal data. However, the laws of Hong Kong, Indonesia, Taiwan and Nepal allow the cross-border transfer of personal data without any restrictions. The legal bases for such transfers vary significantly depending upon the adequacy, consent from data subjects/data regulation authority (or any other legal requirements), treaty obligations or even binding corporate rules or agreements. Thus, although these countries allow cross border transfer of data with restrictions, the similarities are said to end there as the conditions attached to determine whether countries can transfer the data or not. 

No country in the Asia-Pacific region has laid out a list of jurisdictions that provides adequate protection to safeguard the data transferred or any model contractual clauses as seen in the EU. For example, Japan, New Zealand and recently South Korea have been approved to provide adequate protection by the EU. Taiwan is currently working its way to obtain a proper decision as well. 

  1. Breach Notification

Mandatory breach notification laws are spreading quickly as they are currently perceived as “best practice” and “politically popular” in the prevailing geopolitical scenario. In the event of a data breach, half (ten) of the countries listed in this region require some form of a mandatory notification to be made to the relevant authorities and the affected individuals. Some laws only require entities to notify the affected individuals and the data protection authority “promptly” or “without any delay”. Some jurisdictions have specified the period as seventy-two hours, such as in the case of the Philippines, Singapore and Thailand, five days in the case of South Korea and fourteen days in the case of Indonesia. Singapore also requires entities to submit a report within fourteen days of the initial notification detailing the causes of the incident, impact and remedial measures taken by the organisation to tackle the data breach incident. 

  1. Legal basis for the processing of data 

The GDPR provides seven major fundamentals for processing data: consent, the performance of a contract, legitimate interest, vital interest, legal requirement, and public interest. Most of the countries in the Asia-Pacific region (thirteen) do not allow data processing based on legitimate interests. The range of legal basis for the processing of data varies widely from one jurisdiction to another. For instance, consent of the data subject is considered the most common legal basis for processing in these States. 

  1. Rights of data subjects

The right to provide access to and correct the personal data stored is provided in all jurisdictions. Erasure rights are available in eleven countries, whereas only four countries- China, Philippines, Singapore and Thailand- provide data portability rights. The time frame within which an entity must respond to a data subject’s rights varies in this region. Under the GDPR, one month is provided to an organisation to respond to a request made. Here, four countries provide requests to be attended within 30 days, three within 15-21 days, two within 10 days, and five within 1-7 days. The others do not prescribe a specific period. 

  1. Appointment of Data Protection Officer (DPO)

Data protection officers are independent experts in data protection who are responsible for monitoring and advising on an organisation’s data protection compliance programme, monitoring and assessing DPIAs and acting as a point of contact for data subjects and relevant supervisory authorities. China, Japan, Kazakhstan, Korea, New Zealand, Philippines, Singapore and Thailand are the eight countries that mandate the appointment of a DPO in this region. 

  1. Data Localisation Requirements

Currently, only three jurisdictions mandate data localisation in this region. However, the pressure to uniformly implement the same continues to grow significantly after China adopts the PIPL. Now, organisations in China that have high process volumes of personal data and operators of “critical infrastructure” are required to store such information within the borders of China. When such information is critically needed to be transferred to a third-party operator abroad, such an organisation must clear the security assessment conducted by the CAC except in those cases where they are exempted by law from taking such an assessment. Kazakhstan’s privacy regulation mandates entities to store their data locally. In Uzbekistan, the owners or operators processing their citizens’ data must use technical means located in Uzbekistan itself. Additionally, such technical standards must also be registered in the State Register of Personal Data Databases, even if the processing occurs through information technologies or the internet. 

  1. Registration 

Under Article 30 of the GDPR, all companies are now required to maintain an internal electronic registry of all the information of the personal data processing activities carried out to provide for the principle of accountability.  The trend prevalent around the world is to minimise the registration requirements. However, Kyrgyzstan, Macao, Malaysia, the Philippines, Uzbekistan, and Tajikistan are the six countries requiring organisations to register their processing activities with a data protection authority. 

  1. Data Protection Impact Assessments (DPIAs)

Under the GDPR, a DPIA is required to be performed every time a new project is taken on by an organisation that poses a “high risk” to people’s personal information. In the Asia-Pacific region, Singapore, South Korea, China and the Philippines are the only four countries that require organisations to carry out DPIAs. In contrast, most other local laws do not require organisations to carry out such assessments. 

  1. Enforcement 

The enforcement authorities or the data protection authorities (DPAs) in South Korea, Japan, Hong Kong, Singapore and Australia have responded to the ongoing massive data breaches with the utmost strictness. They have carried out aggressive inspections and have prosecuted organisations that have failed to implement the proper security measures mandated by law, resulting in heavy fines and sometimes corrective orders. These countries are also focussing on enhancing their private sector security practices. Enforcement is expected to increase in the coming years due to new and amended laws that increase the penalties. Other types of privacy violations, the Korean Personal Information Protection Commission (PIPC) imposed a fine of KRW 6.6 billion on an online platform operator for violating lawful processing requirements, consent particulars, and processing of pseudonymised information, are also in play. 

Conclusion 

The above comparisons show that when it comes to inter-state trade between Europe and the Asian countries, the EU’s adequacy decision plays a vital role in facilitating data transfers between Europe and other countries. As data transfers are essential to most business processes today along with the ECJs judgement in Schremes II, the EU’s role in dictating model contractual clauses and best practices will seep into the data protection practices of the Asia-Pacific countries as well. After several rounds of negotiations, South Korea has recently obtained the EU’s adequacy decision where additional safeguards were agreed upon, such as enhanced notice obligations, onward data transfers, and processing for national security purposes. Importantly, individuals in the EU whose data is transferred to South Korea can now complain with the PIPC. Thus, we can expect similar changes to be made in other privacy regulations in the Asia-Pacific region.  

This article was written by Aryashree Kunhambu

980 thoughts on “Asia’s Regional Data Protection Regulations and its comparison with the GDPR”

  1. Gabriela

    Wonderful post however , I was wondering if you could write a litte more on this subject?

    I’d be vvery grateful if you could elaboratee a little
    bit further. Thanks!

    Here is my blog: Gabriela

  3. Zoet

    Very well written! The points discussed are highly relevant. For further exploration, I recommend visiting: LEARN MORE. Keen to hear everyone’s opinions!

  736. TylerMog

    Sistemas de calibración: esencial para el rendimiento estable y productivo de las equipos.

    En el ámbito de la innovación contemporánea, donde la efectividad y la estabilidad del aparato son de suma trascendencia, los sistemas de equilibrado tienen un tarea esencial. Estos sistemas específicos están desarrollados para calibrar y regular elementos rotativas, ya sea en herramientas manufacturera, automóviles de traslado o incluso en dispositivos caseros.

    Para los profesionales en mantenimiento de dispositivos y los técnicos, trabajar con sistemas de equilibrado es crucial para promover el funcionamiento estable y estable de cualquier sistema móvil. Gracias a estas alternativas modernas sofisticadas, es posible limitar notablemente las movimientos, el estruendo y la carga sobre los soportes, prolongando la longevidad de piezas caros.

    De igual manera relevante es el tarea que tienen los equipos de ajuste en la soporte al consumidor. El ayuda experto y el mantenimiento regular utilizando estos dispositivos posibilitan brindar prestaciones de gran excelencia, elevando la satisfacción de los consumidores.

    Para los titulares de negocios, la financiamiento en sistemas de calibración y dispositivos puede ser fundamental para incrementar la rendimiento y desempeño de sus equipos. Esto es especialmente significativo para los inversores que gestionan medianas y intermedias negocios, donde cada detalle vale.

    Por otro lado, los dispositivos de balanceo tienen una vasta implementación en el sector de la seguridad y el gestión de nivel. Posibilitan encontrar eventuales fallos, previniendo intervenciones costosas y perjuicios a los sistemas. Más aún, los datos obtenidos de estos equipos pueden aplicarse para maximizar sistemas y potenciar la visibilidad en motores de consulta.

    Las zonas de uso de los aparatos de balanceo incluyen múltiples sectores, desde la fabricación de bicicletas hasta el control de la naturaleza. No interesa si se habla de enormes producciones productivas o limitados espacios domésticos, los equipos de balanceo son indispensables para asegurar un desempeño efectivo y libre de detenciones.

Leave a Reply

Your email address will not be published. Required fields are marked *

cybersecurity,
WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 
Tsaaro Consulting

WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 

In today’s interconnected world, cybersecurity plays a crucial role in protecting our digital lives. From protecting personal data to safeguarding …

February 21, 2025
Transfer Impact Assessments
Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 
Tsaaro Consulting

Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 

Introduction  A Transfer Impact Assessment (TIA) is a critical evaluation conducted under the General Data Protection Regulation (GDPR) to assess …

February 20, 2025
Draft DPDP Rules
The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?
Tsaaro Consulting

The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?

Introduction The Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 have ushered in a new …

February 12, 2025
Data Breach Management
Understanding Data Breach Management under the Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 
Tsaaro Consulting

Understanding Data Breach Management under the Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 

Introduction  The Digital Personal Data Protection Act, 2023 (DPDPA), along with the Draft Digital Personal Data Protection Rules, 2025 (DPDP …

February 10, 2025
Personal Data Protection Act
A Comprehensive Guide to Singapore’s Personal Data Protection Act  
Tsaaro Consulting

A Comprehensive Guide to Singapore’s Personal Data Protection Act  

Introduction  Singapore’s Personal Data Protection Act (PDPA) is the cornerstone of the country’s data protection framework, ensuring that organizations manage …

February 5, 2025
Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

© 2024 Tsaaro Consulting. All rights reserved.
Linkedin Instagram Youtube

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands

Tsaaro Pune Office

Tech Centre, Rajiv Gandhi Infotech Park, Hinjewadi, Pune, Maharashtra

Tsaaro Noida Office

302, Tower C, ATS Bouquet, Noida Sector – 132, Uttar Pradesh, India

Tsaaro Bengaluru Office I

Manyata, Embassy Business Park, Outer Ring Road, Bengaluru, Karnataka

Tsaaro Bengaluru Office II

Second State, CMH Road, Indiranagar, Bengaluru, Karnataka

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.