Year in Review and What’s Ahead in Data Privacy in Asia

By Desarack Teso, CIPP-A, CIPP-E | December 17 2020, 10:30 PM SGT
Photo by Clay Banks on Unsplash


With year-end approaching for somewhat a chaotic year of 2020, in the world of privacy we have seen the rapid pace of regulatory actions this year and how data protection laws are increasingly being used to restrict cross-border data transfers.

In Europe, we are still awaiting the impact of the Schrems II decision in July where the EU’s Court of Justice applied the General Data Protection Regulation (GDPR) to invalidate a key data transfer mechanism, the EU-US Privacy Shield, for moving personal data from Europe to the United States. The Schrems II decision may also give a nudge to European countries to start looking at jurisdictions with powerful surveillance authorities and restrict transfers to those jurisdictions as well.

In a number of countries in Asia where 2020 saw rapid regulatory movements to align national data protection legislations with GDPR, will we see a similar Schrems II reasonings to restrict data transfers?

Vibrant Actions in Asia in 2020

Take a look at movements in 2020 where these Asian countries have beefed up their data protection legislations or are considering a new legislative bill in line with the GDPR.

  • South Korea (January): Amendments were made to consolidate the legal protection and enforcement provisions for personal information from three different legislations primarily into the Personal Information Protection Act. However, the amendment did not expand on the legal basis for processing and transferring of personal information beyond consent.
  • Thailand (May): The Personal Data Protection Act, which adopts many concepts of the GDPR, was set to come into force in May 2020 but was delayed by a year due to the Covid-19 pandemic. It is expected that the implementation regulations, expected to be issued in early 2021, will address cross-border data transfer mechanisms.
  • Japan (June): The Act on Protection of Personal Information was amended (expected to be implemented by early 2022) to prohibit the data transfer of “personal-related data” (similar concept as GDPR’s pseudonymized data) to a third party except in some specific cases.
  • Singapore (June, November): True to form to its pragmatism identity, the island nation updated its Personal Data Protection Act twice in 2020. In June, the Personal Data Protection Regulations were revised to recognize APEC’s Cross Border Privacy Rules (CBPR) System and the Privacy Recognition for Processors (PRP) System certification as an additional data transfer mechanism outside of Singapore. In November, the Personal Data Protection (Amendment) Bill was passed by Parliament (expected to come into force in early 2021) to align closer to GDPR such as mandatory breach notification, adding legitimate interests exception to consent, and new right to data portability.
  • Indonesia: It is developing a draft Personal Data Protection Bill as the country already put data localization requirements in place through various ministerial and sectoral regulations. The draft bill models after the GDPR on many areas, and prohibits the transfer of personal data outside of Indonesia except in some specific cases.
  • India: The nation continues to consider its comprehensive Personal Data Protection Bill, which requires localization of critical data and copies of sensitive data in India.


More Restrictions Likely in 2021  

Organizations in Asia were hoping that the equalizer to the increasing cross-border data transfer restrictions is the Regional Comprehensive Economic Partnership (RCEP) Agreement signed in November 2020 between the 10-ASEAN member states, Australia, China, Japan, Korea and New Zealand. The RCEP Agreement commits member countries to support cross-border data flow and logically eliminate local computing facilities requirements, promote privacy and consumer protection, and enhance cybersecurity protection. These commitments will no doubt build trust and consumer confidence in online services.

However, the commitment on cross-border data flow and prohibition against local computing facilities do not apply to a “financial institution” or a “public entity,” nor does it apply to localization measures implemented for national security or other legitimate public policy reasons.

Against this landscape, we can expect more restrictions will be forthcoming in 2021.

Can Data Sovereignty Be Achieved Without Data Localization?

There is no easy answer to change the discussion that data localization equates security. For policymakers in Asian jurisdictions, the concerns are not only about personal data protection and access restrictions, but more so about preserving timely government access to data for regulatory supervision and law enforcement purposes. For starters, there need to be a shift in discussion that the location of the data is not as important as the owner of the data having the sole control over access to their data, for example, via encryption keys which can only be resided in the customer’s home jurisdiction.

Then again, adopting a pragmatic approach similar to Singapore – that reflects the development of technology while promoting digital trade – might be the way to go!

Posted in

Related Articles

Consumer data privacy: a snapshot of new regulations in Vietnam

By Nga Dao The first half of 2023 has witnessed some key developments in Vietnam’s data privacy legislation. These particularly include the issuance of the first-ever decree on personal data protection (Decree 13/2023/ND-CP or PDPD) in April and the adoption of the Law on E-Transactions and Law on Consumers’ Right Protection in June, both of […]

Thailand’s improving internet freedom under the new government

By Pett Jarupaiboon Thailand’s politics is currently in transition. Thai voters voiced their demands and are looking for a change after almost a decade under the Prayuth regime. As the winner in the election, the Move Forward Party (MFP) is trying to form a government and among the sweeping policies to reform the country, digital […]

The Illusion of Regulation: Unveiling the Truth Behind Misinformation

By Edika Amin Prevalence of Misinformation in Asia Pacific Misinformation is defined as false or misleading information that is spread, regardless of intent to mislead. Essentially, misinformation doesn’t care about intent, and so is simply a term for any kind of false or misleading information. The spread of misinformation is becoming a significant issue in […]