Navigating Privacy: A Comparative Analysis of Privacy Laws in the ASEAN Region (Part V)
Lexplosion Solutions - Innovating Legally
Innovating Legally!
Summary of the series so far:
In our first blog, we explored an overview of privacy laws in Singapore, Malaysia, and Thailand, setting the foundation for understanding the regulatory landscape in the ASEAN region.
On our second blog, we have discussed the applicability of the Data Protection Acts in Singapore, Malaysia, and Thailand.
On our third blog, we have dealt with the definitions and the categories of personal data and data controllers across the Personal Data Protection Act’s in Singapore, Malaysia, and Thailand.
On our fourth blog, we dealth with the mandate of notice and consent under the Personal Data Protection Act’s in Singapore, Malaysia, and Thailand.
Singapore’s Personal Data Protection Act (PDPA) provides a comprehensive framework for safeguarding personal data, balancing privacy rights with data processing needs. It emphasizes consent, accountability, and data retention. The Act applies to organizations handling personal data in Singapore, excluding individuals acting in personal capacities or employees within their employment scope. Personal data is defined to include information identifying an individual, whether alone or with other data, excluding certain private communications and outdated data. Data controllers are required to notify individuals about the purposes of data collection, secure informed consent, and avoid any misleading practices, though the PDPA allows for certain exceptions.
Malaysia’s Personal Data Protection Act (PDPA) governs personal data processing in Malaysia, focusing on notice, security, retention, and integrity. It applies to commercial transactions involving personal data, excluding NGOs and archival purposes. It applies to both individuals and entities within Malaysia, including foreign data processors using Malaysian-based equipment. The Act distinguishes between “personal data” and “sensitive personal data,” with stricter rules for the latter. Processing of sensitive data requires explicit consent, while personal data only requires documented consent, with fewer obligations for data controllers. Data controllers are required to inform data subjects in both English and Malay about the purposes of data collection, how their data will be used, and their rights under the PDPA.
Thailand’s Personal Data Protection Act (PDPA) regulates the collection, use, and disclosure of personal data within Thailand or for Thai citizens, covering both physical and digital records. It applies to businesses, including those outside Thailand, offering goods/services to Thai residents. Exemptions include personal use, media activities, and credit bureaus. Personal data is defined as information enabling individual identification. It mandates explicit consent for the collection of sensitive data. It applies both domestically and internationally to entities targeting individuals in Thailand. The law requires businesses to obtain clear consent, disclose the purposes of data collection, and inform individuals if their data is collected from alternative sources, with notification required within 30 days.
In the last instalment, we will be discussing the regulation of data transfer, localisation and data breach under the Personal Data Protection Act’s in Singapore, Malaysia, and Thailand.
Data Transfer and Localisation
Singapore
The PDPA – Singapore sets limitations on data controllers regarding the transfer of personal data outside the country. When a data controller transfers personal data to another entity outside Singapore, let’s say within the same corporate group for central functions or to a data intermediary for processing, it relinquishes direct control over that data. However, even in cases where personal data is transferred or located overseas but remains under the data controllers’ possession or control, it needs to comply with all Data Protection Provisions. For instance, if an employee travels abroad with customer lists on their notebook, if the organization operates a warehouse overseas for storing customer records, or if it uses overseas data centers for storing personal data, it is obligated to protect the data, facilitate access and correction requests, and include these overseas data repositories in its data retention policy[1]. ?Additionally, the PDPA in Singapore and allied regulations outline prerequisites for transferring personal data overseas. Essentially, a Data Controller may transfer personal data abroad if it ensures that the overseas recipient is bound by legally enforceable obligations or specified certifications, guaranteeing a level of protection equivalent to the PDPA in Singapore. This ensures that regardless of where the personal data is processed or stored, it remains safeguarded under Singapore’s data protection standards. Consent is also to be considered as per the PDPA.
Malaysia
The PDPA – Malaysia generally imposes restrictions on the transfer of personal data beyond the country’s borders, unless specific conditions are fulfilled. These conditions include obtaining the consent of the data subject, the transfer being necessary for the performance of a contract, for legal proceedings or obtaining legal advice, or for the protection of the data subject’s vital interests. Additionally, transfers may be allowed if the Minister of Communications and Multimedia specifies certain countries for data transfers upon recommendation by the Personal Data Protection Commission (PDPC) and by publication in the Gazette. However, this position will change from April 2025 when the Amendment to the PDPA Malaysia comes into effect. The amendment to Section 129 removes the Minister’s power to specify transfer conditions, allowing the data controller to transfer personal data, provided the conditions set out in the Act are met. Essentially the data should be safeguarded under Malaysia’s standards. Other circumstances where transfer is permitted include when the data subject requests a contract between the data user and a third party, or when it is in the public interest (as determined by the Minister).
Thailand
Under the PDPA – Thailand, the transfer of personal data is subject to strict limitations. However, the PDPA sub-regulations significantly broadened the scope for lawful cross- border transfer. ?Data can only be transferred to countries or international organizations that maintain an adequate level of protection as outlined by the PDPA. The PDPA regulations provides for a notification by the Personal Data Protection Committee (PDPC) of whitelisted countries. However, it is the responsibility of the organisations to keep track of this list as they will be assessed by the PDPC periodically. However, there exist exceptions to this rule. Transfers are permissible if one or more legal grounds specified under the law are satisfied. These grounds include obtaining consent from the data subject, fulfilling contractual obligations, responding to the data subject’s request, serving significant public interest reasons, complying with legal obligations, or addressing threats to life, body, or health when the data subject is unable to provide consent. Moreover, transfers to affiliates of a national data controller or processor are also permitted provided they adhere to a personal data protection policy “reviewed and certified” by the PDPC.
Data Breach
Singapore
In the event of a notifiable data breach concerning personal data held by a data controller, prompt notification is essential! “The notification to the Commissioner by the organisation should be “as soon as practicable and in any case not later than 3 calendar days” of the assessment of the breach”[2]. An organisation which is an intermediary for “processing personal data for public agencies” ?must notify the relevant public agencies without undue delay. If the breach leads to significant harm to data subjects, affected individuals must also be notified within a reasonable timeframe following notification to the Commission. Such notifications should detail the breach circumstances, types of personal data affected, potential harm, mitigation efforts, actions for affected individuals, and contact details. However, if directed by the Commission, affected individuals need not be notified.
Notifiable data breaches include those causing significant harm to individuals or breaches of substantial scale. Breaches affecting 500 or more individuals are considered breaches of significant scale. Breaches confined within an organization without unauthorized external access are exempt from notifiable breach category.
Malaysia
Presently, the PDPA- Malaysia lacks provisions regarding data breaches. However, under the Amendment Act of 2024 notification of breach of personal data is to be provided to the Commissioner and ?where the data breach can cause or is likely to cause significant harm to the data subject, the data subject also has to be notified. The Commissioner will determine the manner and form of notification.
While it is not currently a mandatory requirement under the PDPA, data breach notification to the Commissioner can be done ?online. ??Information required includes particulars of data user and the person giving the notification, details of the data breach, containment and recovery, and notifications made to other parties (regulators and law enforcement agencies, affected parties, data processors, or other overseas data protection authorities).
As mentioned above, this position will change from June 1, 2025, when notifying breach of personal data will be mandatory with non-compliance being an offence attracting a fine not exceeding “two hundred and fifty thousand ringgit or imprisonment for a term not exceeding two years or to both”[3].
Thailand
Under the PDPA – Thailand, a personal data breach must be notified to the Personal Data Protection Committee without undue delay and, where feasible, no later than 72 hours after having become aware of the breach unless it is “unlikely to result in a risk to the rights and freedom” of the data subject. If a personal data breach is likely to result in a high risk to data subjects’ rights and freedoms, the data controller must also notify the breach to data subjects.
Conclusion
As mentioned at the start of this series “the world at our fingertips” ethos has ushered in an era of relentless data collection which results in individual profiling and heightened digital surveillance, gradually eroding personal autonomy. A part of this series we have looked at the significant steps taken by Singapore, Malaysia, and Thailand to protect personal data while allowing businesses to operate efficiently. While each country’s Personal Data Protection Act (PDPA) share key principles like consent, accountability, and transparency, each has its own unique provisions.
With Malaysia set to enforce stricter breach notification and data transfer regulations in 2025, its laws will align more closely with global standards. Meanwhile, Singapore continues to uphold rigorous protections, even when data is transferred overseas, and Thailand refines its approach to cross-border data transfers. All the countries seek to ensure the same, if not a higher standard of protection, the personal data would have enjoyed in their jurisdiction requiring businesses to remain vigilant.
Way Forward
The exponential growth of data and cross-border transactions underscores the imperative for a robust data protection regime. Certain Asian nations are leading the charge in safeguarding their citizens’ data, while others are still on the path to progress. Privacy laws in the ASEAN region continue to evolve, presenting both challenges and opportunities for organizations operating in the region. Organisations should regularly evaluate their data processes and policies to ensure compliance with applicable laws.? Compliance management companies play a crucial role in assisting organizations in this journey, offering expertise and guidance to help ensure compliance with laws across borders.
Komrisk, our ‘Compliance risk management tool offers an enterprise-level solution for regulatory compliance management. It consolidates the efforts of business, marketing, finance, technology, and legal teams onto a single platform, fostering collaboration among diverse stakeholders to ensure compliance at all levels. Additionally, it functions as a repository of relevant compliance obligations in the form of simple actionables, along with corresponding penalties for non-compliance.
With the ability to upload tangible evidence of compliance, Komrisk validates the completion of compliance tasks and features a flexible escalation mechanism spanning up to ten levels. It also offers real-time dashboard reports, empowering senior management with insights to enhance operational efficiency, promote transparency, and monitor compliance status in real-time. By evaluating potential risks associated with pending compliances across all entities, operating units, and departments, Komrisk facilitates informed decision-making and provides a panoramic view of the organization’s compliance landscape.
Links:
Thailand: https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf
Malaysia: JW515839 Act 709.indd (kkd.gov.my)
[1] https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/advisory-guidelines-on-key-concepts-in-the-pdpa-17-may-2022.pdf
Written by: Vidya Mukherjee
Co-authored by: Abhishek Roy
Disclaimer
The information provided on this blog is for general informational purposes only and is not a substitute for professional legal advice. We are not a law firm and are not authorized to practice law in your jurisdiction. Laws and regulations are complex and constantly changing, and information that may be true in one jurisdiction may not apply in another. Before acting on any information you read here, you should consult with a qualified lawyer practicing in the relevant jurisdiction for your specific legal issues or concerns. While we strive to provide accurate and up-to-date information, we make no guarantees that the information on this blog is completely current or error-free. We disclaim any liability for any actions taken or not taken based on the information on this blog.