Technology and the rise of the digital economy has transformed our lives for the better in many ways. However, data breaches and data security threats loom over us. The incident involving Cambridge Analytica in 2018 where millions of Facebook users’ data were obtained without proper permission, underscores the risks associated with freely sharing personal data digitally and the need to have robust laws and practices to protect personal data and privacy.

Thank you to ZICO Law for sponsoring this post.

The development of data protection regulation in ASEAN has so far been uneven. Until recently, Singapore, Malaysia and the Philippines were the only countries with personal data protection laws. The latest country in ASEAN to enact data protection laws is Thailand, with the Parliament passing the Personal Data Protection Act in early 2019. Indonesia has been mulling over it and had a draft legislation which has yet to make its way through the legislative process.

The coming into force of the European Union’s General Data Protection Regulations (“EU GDPR”) on 25 May 2018 has introduced even higher standards, stricter laws and tougher sanctions in the EU with extra-territorial application. The EU GDPR regulates the usage of data of its citizens by companies in terms of data, privacy, security and transparency not only in its region but also companies or organisations worldwide that process or hold data of EU residents.

As ASEAN trades heavily with Europe, it is becoming important for businesses to comply with the regulations. Because of the EU GDPR, many of the ASEAN countries are reviewing their own data protection laws and may develop a similar regulatory framework to protect their citizens and enable local businesses to operate globally through some sort of comity in regulatory approach.

Malaysia is in the midst of reviewing its Personal Data Protection Act 2010 to ensure that it is streamlined with the EU GDPR. Singapore’s Personal Data Protection Act 2012 shares many of the EU GDPR principles, in that they both require customer consent for all communications regarding data collection, data processing or disclosure of data. As part of an ongoing review, a discussion paper was issued to introduce the right to data portability, which gives users greater control over the movement of their information across service providers.

Thank you to ZICO Law for sponsoring this post.

Philippines Data Privacy Act came into effect in 2016 and regulators have issued recommendations to ensure compliance with data privacy laws. The Personal Data Protection Act recently passed in Thailand offers citizens similar protections to the EU GDPR. While the remaining countries in ASEAN may not have overarching regulatory frameworks for data protection, there are laws in specific sectors or for electronic media. This publication provides a snapshot of the various aspects and considerations that are relevant to the protection of personal data across ASEAN.

Sharon Tan

ASEAN Data Protection Laws & Readiness for EU GDPR


Posted by ZICO Law

ZICO Law is the first network of leading independent local law firms with a full presence in all 10 ASEAN countries. With a presence in 18 cities in 10 out of 10 ASEAN countries, our 300 lawyers enable our clients to enjoy value-added legal services by leveraging on a combination of local expertise and regional insights.

Leave a Reply