Data Privacy Laws in South East Asia

Updated: Jan 11, 2021

Data Privacy laws in South East Asia

The ASEAN’s (Association of South East Asian Nations) combined GDP tops $2.6 trillion which is the 3rd largest in Asia and 7th largest in the world. With a population of over 600 million, the ASEAN market size is bigger than the EU or the North America.

With this tremendous opportunity for economic growth, the ASEAN has committed to harmonize legal infrastructure for e-commerce for the integration of the e-ASEAN Sector. One of the goals in this strategic initiative for the ASEAN Economic Community (AEC) is to adopt best practices concerning cyber security and data protection. With Philippines, Malaysia and Singapore being at the forefront of the Data Protection Policy framework and implementation.

ASEAN Prospects:

In Singapore, the Personal Data Protection Act 2012 (PDPA) is the primary governing law for protecting individual privacy. The PDPA applies to all electronic and non-electronic communications that deal with data collection, processing, or disclosure within Singapore, regardless of whether they have an actual physical presence in the country. This act requires companies to obtain customers’ consent, establish reasonable purpose to obtain the data and inform its customers of all the data processes. Penalties of up to 1 Million Singapore Dollars or up to 3 years of prison is applicable in case the law is not adhered to.

Malaysia – Malaysia’s Personal Data Protection Act 2010 (PDPA) through its Personal Data Protection Department excludes the government sector from its scope. The Malaysian PDPA requires that individuals be notified of data collection, give consent, and be informed about the purposes for which the data is being collected. The PDPA prohibits any disclosure of the personal information which is not pre-declared to the customer, and the information must be kept secure and not retained for longer than is defined in the privacy policy. Individuals must also be allowed to access their information that is stored.

In The Philippines, the Data Privacy Act (DPA) was passed into law in 2012. This made the country the second in Southeast Asia to promulgate a comprehensive data protection law. It was only in 2016, however, that it was actively implemented with the establishment of the National Privacy Commission and the subsequent issuance of the statute’s Implementing Rules and Regulations.

Brunei Darussalam – This country is guided by a Data Protection Policy which covers personal data (in electronic or manual form) managed by government and educational institutions.

Cambodia – Kingdom of Cambodia is yet to announce plans regarding the formulation of a national law on privacy and data protection.

Indonesia has a regulation for the protection of personal data in electronic systems and the Communications and Information Ministry seems very keen on passing a personal data protection bill this 2018.

Laos – The Lao People’s Democratic Republic has enacted laws with cover provisions relating to the protection of personal information—Law Protection of Electronic Data (2017) and Law on Prevention and Combating Cyber Crime (2015).

Myanmar – In March 2017, Myanmar promulgated a law entitled Protecting the Privacy and Security of Citizens (Union Parliament Law 5/2017). According to the Myanmar Center for Responsible Business (MCRB), the law prohibits interception of citizen’s electronic communications, private correspondences and, physical privacy, unless otherwise warranted by an “order”.

Thailand – The Kingdom of Thailand has a pending approval of a draft legislation, but has its Official Information Act 1997 to protect its citizens’ personal information that is being processed by the state agencies.

Vietnam – Vietnam has laws regarding Cyber Information Security (2016), Information Technology (2006), E-Transactions (2005), and a law on Protection of Consumers’ Rights (2010). Article 21 requires that individual’s consent is a must for the subject’s data to be collected, processed, or used, and mention the purpose for which it is being collected. The individual can request to personally manage the information and the information controller or processor must immediately take the necessary measures.

The ASEAN adopted its regional declaration on privacy with its 2012 Human Rights Declaration. Article 21 of the declaration states that:

“Every person has the right to be free from arbitrary interference with his or her privacy, family, home or correspondence including personal data, or to attack upon that person’s honour and reputation. Every person has the right to the protection of the law against such interference or attacks.”

The ASEAN has cumulatively led to the establishment of the ASEAN Framework on Personal Data Protection in 2016. The Framework states the principles on data protection to help the members in the implementation of domestic laws and regulations aligned with the global framework.

In the age of Digitization, voluminous personal data is being generated and therefore economies across the globe are rallying towards “Data Privacy” and “Data Protection” laws with much seriousness to maintain the economic growth and avoid cyber threats. With Global frameworks like the GDPR, the ASEAN Framework on Personal Data Protection, all the trans-national groups have started to converge. This puts a mandate on the Corporates to revamp their existing systems and make them compliant with the laws.

Technology Approach to achieving compliance

Companies should assess and audit whether GDPR and local laws are applicable. If a company falls under the framework, then the Products and Services need to be revamped. For example, to comply with the Personal Data Protection Act 2010 (PDPA), solutions such as

Vaultastic – cloud based Email Archiving solution helps clients achieve the required compliance of user consent and data management in a hassle-free manner. It helps in keeping the corporate emails secure and easily retrievable when required, adhering to the principles of “accountability” in the GDPR.

In addition, SkyConnect – Cloud based email solution brings in world-class cost effective email collaboration and enables Data Governance. These products set industry standards when it comes to “data location”, “personal data” and “sensitive personal data” as defined in the GDPR. To comply with native and international laws, the self declaration of a Privacy Policy is also necessary. This demonstrates the legal accountability, readiness and competitiveness, which in-turn opens new business opportunities in today’s connected world.

Vaultastic and SkyConnect together offer a complete suite for Data Privacy compliance. The products not only reflect a high level of sophistication, but also demonstrate the ability to help companies within ASEAN stay on the right side of the law when dealing with personal data in international geographies.