January 16, 2023

Preparing for the Future of Data Protection in Asia: What to Expect From 2023

This article will provide an overview of what has changed and what to expect in Asia in the future. We'll start with laws that go into effect in 2023 and work our way up to those that could be passed soon. Finally, we'll go over the laws that may need to be changed this year in order to be better prepared for 2024. 

Some Asian countries have had difficulty enacting and enforcing comprehensive data protection legislation. After a few delays due to COVID-19, the Thailand PDPA, for example, went into effect in 2022. 

In 2022, Japan, China, Singapore, and the UAE updated their data protection laws. 

Nonetheless, some major economies, such as India and Indonesia, lack comprehensive legislation. 

In some countries, this has changed. It is about to change in other countries. 

This article will provide an overview of what has changed and what to expect in Asia in the future. We'll start with laws that go into effect in 2023 and work our way up to those that could be passed soon. Finally, we'll go over the laws that may need to be changed this year in order to be better prepared for 2024. 

Data Protection Laws Coming into Effect in 2023

Currently, Saudi Arabia is the only country with a new data protection law set to take effect in 2023. 

Saudi Arabia

Saudi Arabia's Personal Data Protection Law (PDPL) goes into effect on March 17, 2023. It was supposed to go into effect sooner, but it has been delayed until later this year. 

It is a comprehensive law that imposes stringent requirements on Saudi and foreign businesses that sell or provide services to Saudi citizens. 

Unlike most other data protection laws, Saudi law requires businesses to register with the government as data controllers and pay a registration fee. Furthermore, they must register their processing activities.

Other obligations include:

  • Obtaining explicit consent for personal data processing
  • Obtaining approval from authorities for international data transfers of Saudi residents
  • Conduct impact assessments to assess the privacy risks to individuals
  • Respond to data subject requests to exercise rights
  • Notify authorities of all data breaches

Violations may result in a monetary fine of up to one million Saudi riyals ($250,000) and up to one year in prison. 

Data Protection Laws That May Be Enacted in 2023

India and Malaysia are on the verge of enacting new privacy laws or revising existing ones. 


India's Digital Personal Data Protection Bill could be passed in 2023. The Indian government has made numerous unsuccessful attempts to pass a comprehensive data protection law. 

The current draft is still under consideration by the legislative bodies. It has been criticized, but it has also received a lot of positive feedback. 

Businesses will be required to obtain explicit consent, similar to the GDPR standard in Europe. Businesses will be allowed to consider the consent given by customers in some cases. 

It also provides access, deletion, correction, portability, and other privacy rights. 

The law's effective date is still unknown. If it is passed in 2023, it is unlikely to go into effect before 2024, because privacy laws typically provide a grace period for companies to adjust. 


Malaysia's Personal Data Protection Act of 2010 is still in effect, but it may be updated soon. Data subjects already have legal rights to data protection. In many cases, consent is also required for data processing. 

Among the proposed changes are the following: 

  • Appointment of Data Protection Officers in some cases
  • Obligatory reporting of data breaches to authorities and data subjects
  • Introducing the right to portability of personal data
  • Requirement for data processors to comply with the data security standards prescribed for data controllers
  • Prescribes a blacklist of countries to which cross-border data transfers are prohibited (unlike the EU, which prescribes a whitelist of countries with adequacy decisions).

The changes bring Malaysian law up to date, but the requirements for consent and other processing are not as stringent as in Thailand's, Indonesia's, and possibly India's new laws. 

Data Protection Laws Coming into Effect in 2024

Some data protection laws will go into effect in 2024, but you should start planning for them now.


For a long time, the Indonesian government, like India, has been attempting to pass a comprehensive data protection law. 

In 2022, the Indonesian Personal Data Protection Law was enacted. 

You'll have time to adjust your privacy practices to the new requirements by 2023. It goes into effect in 2024. Penalties for noncompliance could range from 4 to 6 billion Indonesian rupiahs, or $250,000 to $390,000. Some offenses may result in a 4-6 year prison sentence. 

The following are the most important requirements: 

  • Provide users with a privacy notice
  • Obtain explicit and specific consent for data processing
  • Notify data subjects and authorities about any data breaches
  • Honor data subject requests
  • Comply with the cross-border data transfer standards
  • Do data protection impact assessments in some cases
  • Appoint a DPO where required

The Indonesia PDPL is similar to the EU's GDPR, but also to Thailand's PDPA, which was also modeled after EU law that sets global standards.

Start your Free Trial

Top GDPR-Compliant Analytics Tools: Safeguarding User Privacy in 2023

Learn about the complexities of using Google Analytics 4 in accordance with the EU's General Data Protection Regulation (GDPR). Explore the compliance issues, and steps to make GA4 GDPR compliant, and discover privacy-friendly alternatives that provide powerful website analytics while respecting user privacy and data protection laws.

  • GDPR
  • Europe GDPR

Understanding Compliance: Navigating CCPA Regulations with Google Analytics 4

Discover the compatibility of Google Analytics 4 with the California Consumer Privacy Act (CCPA). This article explores the CCPA compliance of GA4, outlines the obligations it imposes on businesses, and provides insights on how to handle CCPA requirements while using Google Analytics 4 for data collection and analysis. Learn about opt-out mechanisms, data retention periods, and consumer request obligations to ensure compliance with CCPA regulations.

  • USA
the 10 pipeda principles

10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance

Learn about the 10 principles of PIPEDA, the federal privacy law of Canada, and understand how to ensure privacy compliance for your organization. Discover key concepts such as accountability, consent, limiting collection, safeguards, and more. Get insights into the applicability of PIPEDA and how it compares to other data protection laws worldwide. Stay informed and protect personal data in accordance with Canadian privacy regulations.

  • Canada
  • Canada PIPEDA