Some Asian countries have had difficulty enacting and enforcing comprehensive data protection legislation. After a few delays due to COVID-19, the Thailand PDPA, for example, went into effect in 2022.
In 2022, Japan, China, Singapore, and the UAE updated their data protection laws.
Nonetheless, some major economies, such as India and Indonesia, lack comprehensive legislation.
In some countries, this has changed. It is about to change in other countries.
This article will provide an overview of what has changed and what to expect in Asia in the future. We'll start with laws that go into effect in 2023 and work our way up to those that could be passed soon. Finally, we'll go over the laws that may need to be changed this year in order to be better prepared for 2024, including Japan's APPI.
Data Protection Laws Coming into Effect in 2023
Currently, Saudi Arabia is the only country with a new data protection law set to take effect in 2023.
Saudi Arabia
Saudi Arabia's Personal Data Protection Law (PDPL) goes into effect on March 17, 2023. It was supposed to go into effect sooner, but it has been delayed until later this year.
It is a comprehensive law that imposes stringent requirements on Saudi and foreign businesses that sell or provide services to Saudi citizens.
Unlike most other data protection laws, Saudi law requires businesses to register with the government as data controllers and pay a registration fee. Furthermore, they must register their processing activities.
Other obligations include:
- Obtaining explicit consent for personal data processing
- Obtaining approval from authorities for international data transfers of Saudi residents
- Conduct impact assessments to assess the privacy risks to individuals
- Respond to data subject requests to exercise rights
- Notify authorities of all data breaches
Violations may result in a monetary fine of up to one million Saudi riyals ($250,000) and up to one year in prison.
Data Protection Laws That May Be Enacted in 2023
India and Malaysia are on the verge of enacting new privacy laws or revising existing ones.
India
India's Digital Personal Data Protection Bill could be passed in 2023. The Indian government has made numerous unsuccessful attempts to pass a comprehensive data protection law.
The current draft is still under consideration by the legislative bodies. It has been criticized, but it has also received a lot of positive feedback.
Businesses will be required to obtain explicit consent, similar to the GDPR standard in Europe. Businesses will be allowed to consider the consent given by customers in some cases.
It also provides access, deletion, correction, portability, and other privacy rights.
The law's effective date is still unknown. If it is passed in 2023, it is unlikely to go into effect before 2024, because privacy laws typically provide a grace period for companies to adjust.
Update: Discover the India Digital Personal Data Protection Act – India's first comprehensive data protection law and understand the differences between the GDPR and DPDPA.
Malaysia
Malaysia's Personal Data Protection Act of 2010 is still in effect, but it may be updated soon. Data subjects already have legal rights to data protection. In many cases, consent is also required for data processing.
Among the proposed changes are the following:
- Appointment of Data Protection Officers in some cases
- Obligatory reporting of data breaches to authorities and data subjects
- Introducing the right to portability of personal data
- Requirement for data processors to comply with the data security standards prescribed for data controllers
- Prescribes a blacklist of countries to which cross-border data transfers are prohibited (unlike the EU, which prescribes a whitelist of countries with adequacy decisions).
The changes bring Malaysian law up to date, but the requirements for consent and other processing are not as stringent as in Thailand's, Indonesia's, Japan's APPI, and possibly India's new laws.
Data Protection Laws Coming into Effect in 2024
Some data protection laws will go into effect in 2024, but you should start planning for them now. (Read about Japan's APPI)
Indonesia
For a long time, the Indonesian government, like India, has been attempting to pass a comprehensive data protection law.
In 2022, the Indonesian Personal Data Protection Law was enacted.
You'll have time to adjust your privacy practices to the new requirements by 2023. It goes into effect in 2024. Penalties for noncompliance could range from 4 to 6 billion Indonesian rupiahs, or $250,000 to $390,000. Some offenses may result in a 4-6 year prison sentence.
The following are the most important requirements:
- Provide users with a privacy notice
- Obtain explicit and specific consent for data processing
- Notify data subjects and authorities about any data breaches
- Honor data subject requests
- Comply with the cross-border data transfer standards
- Do data protection impact assessments in some cases
- Appoint a DPO where required
The Indonesia PDPL is similar to the EU's GDPR, but also to Thailand's PDPA, which was also modeled after EU law that sets global standards.
