Personal Data Protection Act

The ASEAN Framework on Personal Data Protection, established in 2016, harmonizes data protection standards in the APAC region.

Header Illustration PDPA Dot

The ASEAN Framework

The ASEAN Framework on Personal Data Protection is a regional initiative in the APAC region, aimed at harmonizing data protection standards across Southeast Asia. While it doesn’t establish a binding law like the European Union’s General Data Protection Regulation (GDPR), it serves as a guiding framework to encourage member states to develop and strengthen their data protection laws and practices. This cooperative agreement facilitates digital trade and information flow, respecting the framework’s principles. It emphasizes personal data protection, cooperation among members, free information flow, and maintains confidentiality. Amendments require mutual agreement.

The framework, established in 2016, provides broad principles for data governance, complemented by the 2018 ASEAN Framework on Digital Data Governance and has also a major role to play in reinforcing defenses against cyber-attacks, including Ransomware, through strict data management practices.

Picto Differences APAC PDPA

Differences between APAC countries

Let’s focus on the data protection laws of certain countries (Singapore, Malaysia, the Philippines, Thailand, Vietnam and Indonesia) in the ASEAN. Differences can be observed between some countries leading the way by taking inspiration from the GDPR in 2018, and others being a little further behind regarding this matter.

The Singapore Parliament passed the Personal Data Protection (Amendment) Bill 2020, introducing significant updates to the PDPA overseen by the Personal Data Protection Commission (PDPC), improving the flow of data between service providers, and giving consumers more control over their data. It came into effect in phases on February 1, 2021. This includes mandatory data breach notifications and consent provisions. Yet to be implemented is the Data Portability Obligation.

Major amendments effective from February 2021 include increased financial penalties and provisions against dictionary attacks and address harvesting software. Penalties for non-compliance include a maximum financial penalty of 10% of an organization’s annual turnover in Singapore if it exceeds S$10 million, applicable after October 1, 2022, or S$1 million otherwise.

Following a 2020 public consultation, Malaysia presented amendments to its Personal Data Protection Act 2010 (“PDPA”) in Parliament in October 2022. These changes introduce new obligations for data users and processors. Key amendments include mandatory data breach reporting, data protection officer appointments, and specific duties for data processors. The proposals aim to enhance data protection standards, aligning with global practices, and requiring businesses to adapt to new compliance responsibilities.

In January 2023, Communications and Digital Minister of Malaysia Fahmi Fadzil mentioned that the Personal Data Protection Department (“JDPD”) is refining the amendments with additional aspects for improved applicability. A key change includes mandatory breach notifications by companies to JPDP. Fahmi highlighted the need for increased fines for data misuse, noting the inadequacy of current penalties with an average fine of RM24,000 per company since 2017.

The National Privacy Commission is actively promoting adherence to data privacy standards across various sectors in the Philippines. To align with the stringent standards and requirements of the EU GDPR, the Philippine Data Privacy Act of 2012 has been enhanced with rules and regulations that reflect EU GDPR principles. The corresponding implementing rules and regulations (IRR) of the DPA Law was issued in 2016.

The Philippines’ National Privacy Commission issued Circular No. 2022-01, effective August 27, 2022, introducing fines for Data Privacy Act breaches. Fines vary based on the severity of infraction, with a maximum cap of PHP 5 million for grave violations. The circular ensures due process before imposing fines, and non-payment may result in legal consequences.

Indonesia’s new Personal Data Protection Law (PDP Law), Law No. 27 Year 2022,
was enacted on 17 October 2022, marking significant progress in personal data protection. This global law offers more comprehensive and integrated protection than previous, fragmented regulations. It applies to individuals, corporations, public entities, and international organizations within Indonesia, and affects foreign entities if legal impacts occur in Indonesia or involve Indonesian citizens.

In Indonesia, the Personal Data Protection Law imposes criminal sanctions for unauthorized data activities with penalties of up to 6 years imprisonment and fines up to IDR 6 billion. Corporations may face tenfold higher fines and additional consequences like dissolution. Administrative sanctions include warnings, suspensions, and fines.

Thailand’s Personal Data Protection Act 2019 (PDPA)
has been delayed until May 31, 2022, due to COVID-19. The PDPA establishes the Personal Data Protection Committee (PDPC) for regulatory guidance and includes key data subject rights, such as access, rectification, protection of personal data, etc. Organizations must appoint a Data Protection Officer (DPO), implement data subject request processes, monitor data risks, optimize data collection, document breaches, control third-party access to data, approve a data protection plan and keep up-to-date with regulatory changes.

In Thailand, non-compliance with the Personal Data Protection Act 2019 (PDPA) can result in civil actions for damages, criminal penalties including fines and imprisonment for abusive use of data, and administrative fines of up to five million baht for violations such as unauthorized data processing or failure to notify data breaches.

The Vietnamese government passed Decree No. 13/2023/ND-CP on Personal Data Protection (Decree 13) on April 17, 2023, consolidating Vietnam’s data protection regulations. Effective July 1, 2023, it applies to entities within Vietnam and those processing data related to Vietnamese individuals or activities. Decree 13 aligns with global data privacy trends, resembling aspects of the European GDPR, and emphasizes the importance of data privacy in Vietnam. Businesses must prepare for compliance, particularly concerning cross-border data transfers and data subject rights management.

In Vietnam, non-compliance with the Data Privacy Law can lead to varying penalties. Failing to obtain consent for data collection may result in fines up to $850, while improper use of data can incur fines around $2,560. Additionally, violations of data safety and confidentiality rules can attract criminal sanctions, including warnings, fines, and prison sentences up to 3 years.

APAC Data Leakage PDPA

How to eliminate the risk of data leaks, and why an in-house solution is not always the best solution?

Dot Anonymizer is a ready-to-use solution for anonymizing and pseudonymizing company’s personal data to eliminate the data leakage risk. It also reduces development and maintenance time to use an external solution; cuts cost and enhances data security easily and effectively, by preventing unauthorized people from accessing personal information. Your teams outside production work with fictional but realistic data on all kind of platforms and database types.

In addition to this high-performance tool, DOT Extract speeds up your testing processes, and sampling datasets will reduce storage and administration costs, as well as the carbon footprint generated by the large volume of production databases.

DOT Anonymizer logo

Do you want to anonymize your test data?

Automate the process using DOT Anonymizer!