Year in Review and What’s Ahead in Data Privacy in Asia

By Desarack Teso, CIPP-A, CIPP-E | December 17 2020, 10:30 PM SGT
Photo by Clay Banks on Unsplash


With year-end approaching for somewhat a chaotic year of 2020, in the world of privacy we have seen the rapid pace of regulatory actions this year and how data protection laws are increasingly being used to restrict cross-border data transfers.

In Europe, we are still awaiting the impact of the Schrems II decision in July where the EU’s Court of Justice applied the General Data Protection Regulation (GDPR) to invalidate a key data transfer mechanism, the EU-US Privacy Shield, for moving personal data from Europe to the United States. The Schrems II decision may also give a nudge to European countries to start looking at jurisdictions with powerful surveillance authorities and restrict transfers to those jurisdictions as well.

In a number of countries in Asia where 2020 saw rapid regulatory movements to align national data protection legislations with GDPR, will we see a similar Schrems II reasonings to restrict data transfers?

Vibrant Actions in Asia in 2020

Take a look at movements in 2020 where these Asian countries have beefed up their data protection legislations or are considering a new legislative bill in line with the GDPR.

  • South Korea (January): Amendments were made to consolidate the legal protection and enforcement provisions for personal information from three different legislations primarily into the Personal Information Protection Act. However, the amendment did not expand on the legal basis for processing and transferring of personal information beyond consent.
  • Thailand (May): The Personal Data Protection Act, which adopts many concepts of the GDPR, was set to come into force in May 2020 but was delayed by a year due to the Covid-19 pandemic. It is expected that the implementation regulations, expected to be issued in early 2021, will address cross-border data transfer mechanisms.
  • Japan (June): The Act on Protection of Personal Information was amended (expected to be implemented by early 2022) to prohibit the data transfer of “personal-related data” (similar concept as GDPR’s pseudonymized data) to a third party except in some specific cases.
  • Singapore (June, November): True to form to its pragmatism identity, the island nation updated its Personal Data Protection Act twice in 2020. In June, the Personal Data Protection Regulations were revised to recognize APEC’s Cross Border Privacy Rules (CBPR) System and the Privacy Recognition for Processors (PRP) System certification as an additional data transfer mechanism outside of Singapore. In November, the Personal Data Protection (Amendment) Bill was passed by Parliament (expected to come into force in early 2021) to align closer to GDPR such as mandatory breach notification, adding legitimate interests exception to consent, and new right to data portability.
  • Indonesia: It is developing a draft Personal Data Protection Bill as the country already put data localization requirements in place through various ministerial and sectoral regulations. The draft bill models after the GDPR on many areas, and prohibits the transfer of personal data outside of Indonesia except in some specific cases.
  • India: The nation continues to consider its comprehensive Personal Data Protection Bill, which requires localization of critical data and copies of sensitive data in India.


More Restrictions Likely in 2021  

Organizations in Asia were hoping that the equalizer to the increasing cross-border data transfer restrictions is the Regional Comprehensive Economic Partnership (RCEP) Agreement signed in November 2020 between the 10-ASEAN member states, Australia, China, Japan, Korea and New Zealand. The RCEP Agreement commits member countries to support cross-border data flow and logically eliminate local computing facilities requirements, promote privacy and consumer protection, and enhance cybersecurity protection. These commitments will no doubt build trust and consumer confidence in online services.

However, the commitment on cross-border data flow and prohibition against local computing facilities do not apply to a “financial institution” or a “public entity,” nor does it apply to localization measures implemented for national security or other legitimate public policy reasons.

Against this landscape, we can expect more restrictions will be forthcoming in 2021.

Can Data Sovereignty Be Achieved Without Data Localization?

There is no easy answer to change the discussion that data localization equates security. For policymakers in Asian jurisdictions, the concerns are not only about personal data protection and access restrictions, but more so about preserving timely government access to data for regulatory supervision and law enforcement purposes. For starters, there need to be a shift in discussion that the location of the data is not as important as the owner of the data having the sole control over access to their data, for example, via encryption keys which can only be resided in the customer’s home jurisdiction.

Then again, adopting a pragmatic approach similar to Singapore – that reflects the development of technology while promoting digital trade – might be the way to go!

Posted in

Related Articles

What’s the path to stronger digital trust in Vietnam?

By Nga Dao The alarming situation I receive spam emails, texts, and calls almost every day and about almost everything: from warning a security threat or inviting to a promotional event to offering sales or investment opportunities. Spam is annoying, but I’m still lucky they haven’t stolen my money. Last month, a friend of mine […]

The Problem with Malaysia’s PADU Initiative

By Edika Amin The Problem with Malaysia’s PADU Initiative   At the time of writing, PADU also known as the Government’s Central Database System’s registrations has reached 1.63 million people, including those of children under 18 who have completed the registration process. There was a recent influx in registration numbers following the announcement that targeted subsidies […]

Why does ASEAN need an Institute for Innovation, Technology and Industry (AITII)?

By How Yong Yang ASEAN, or the Association of the Southeast Asian Nations, has made countless headlines in recent years for different reasons: political, economic, and security. Professor Kishore Mahbubani, former President of the United Nations Security Council, has said that ASEAN should be given the Nobel Peace Prize for its capacity to maintain peace, […]