As Vietnam, Malaysia, and Indonesia update their data protection regulations, Southeast Asia enters a new era of privacy protection. Here’s a summary of the proposed changes in these nations. Organizations are advised to swiftly update their data protection compliance programs to align with these new developments.
VIETNAM
In September 2024, Vietnam released the first draft of its new Personal Data Protection Law (PDPL) for public consultation. The PDPL is expected to be adopted by May 2025 and is tentatively scheduled to come into effect on January 1, 2026. This proposed law seeks to establish a more comprehensive framework for data protection in Vietnam by unifying, clarifying, enhancing, and supplementing the existing regulations under the country’s current Personal Data Protection Decree (PDPD). Although it is still uncertain how the PDPD and the draft PDPL will function together, some commentators suggest that the PDPL might eventually replace the PDPD.
The draft PDPL establishes eight fundamental principles for personal data protection and outlines specific compliance requirements for various processing activities and industries. These include direct marketing, behavioural advertising, big data, AI, cloud computing, employee monitoring and recruitment, financial and credit information, health, insurance, and social media.
Key highlights proposed in the draft PDPL –
- Extra-territorial effect: the draft PDPL extends the scope under PDPD to cover processing of foreigners’ personal data within Vietnam.
- Consent: like the PDPD, consent remains the key legal basis for data processing, and separate consents are required for specific data processing activities.
- Clarified definitions: the draft PDPL clarifies the distinction between ‘basic personal data’ from ‘sensitive personal data’. New definitions are also introduced, including, amongst others, ‘developers’ and ‘personal data protection organization’. The data protection authority – currently known as A05 – would change its name if the draft PDPL is implemented.
- Updates to DPIA/TIA dossier filings: the now-familiar data processing impact assessment dossiers (“DPIA Dossiers”) for controllers and processors and transfer impact assessment for transferors (“TIA”) would have to be updated upon certain material change to the organization were the draft PDPL to be implemented.
- Data protection department: companies would be required to have a data protection department overseeing personal data processing (although this could be outsourced to external service providers), as well as an expert (like a DPO) meeting certain eligibility criteria, with an initial short-term (two-year) exemption for new small businesses.
- Certification mechanism: the draft PDPL would introduce a data protection certification scheme, whereby certain organizations could earn trust ratings based on an assessment of their personal data protection practices.
- Breach reporting deadlines: the timescale for notifying authorities of breaches of personal data protection regulations is clarified as being 72 hours.
MALAYSIA
The PDPA 2010 was Malaysia’s first comprehensive legislation on personal data protection, designed to regulate the processing of personal data in commercial transactions and safeguard the privacy rights of individuals. It entered into force in November 2013. Significant changes to Malaysia’s Personal Data Protection Act (“PDPA”) were recently passed via the Personal Data Protection (Amendment) Act (subject to royal assent), and are anticipated to come into effect soon. The PDPA is now quite old and so the amendments are largely to update the Malaysia data protection framework, to align it with more modern data protection laws elsewhere in Asia.
Key highlights proposed in the draft PDPA –
- Changes to the definition of data users: The PDPA changes the term ‘data user’ with ‘data controller’ to make it more aligned with the definition used in other jurisdictions worldwide.
- Mandatory data breach notification: Businesses must now notify authorities and affected individuals of any data breach within a specified timeframe to the Data Protection Commissioner. This mandatory notification aims to increase transparency and ensure prompt action to mitigate the impact of breaches. Failure to comply with this requirement can result in substantial penalties.
- Mandatory obligation to appoint a Data Protection Officer (DPO): Under the new amendments, businesses are now required to appoint a Data Protection Officer (DPO). The DPO is responsible for overseeing data protection strategies, ensuring compliance with the law, and serving as a point of contact for data protection issues. This requirement places an added administrative burden on businesses but also provides a structured approach to handling data security.
- Changes to the rules on cross border data transfers: Malaysia has removed the “white-list” system that previously allowed data transfers to countries deemed to have adequate data protection. Now, data transfers to any country are allowed, provided certain safeguards are met, such as contractual clauses or binding corporate rules. This change gives businesses more flexibility in cross-border data transfers but requires them to take additional steps to ensure compliance.
- Increased regulation of data processors: The revised PDPA extends specific obligations directly to data processors, not just data users. Data processors must now ensure compliance and take practical steps with security standards, maintain accurate records of processing activities, and assist data users in meeting their obligations. This change impacts businesses that process data on behalf of other entities, increasing their responsibilities and potential liability.
- Increased and new penalties for PDPA breaches and non-compliance: The amendments introduce higher penalties for non-compliance with personal data protection principles, including fines and imprisonment.
The new fine for non-compliance is now of up to 1 million ringgit (US$232,000) and/or imprisonment of up to 3 years, an increase from the previous fine of 300,000 ringgit (US$69,749) and/or imprisonment of up to 2 years.
These stricter penalties serve as a deterrent against data breaches and encourage businesses to prioritize data security measures.
INDONESIA
Indonesia’s long-awaited Personal Data Protection Law (Law No.27 of 2022) finally came into force on 17 October 2024, helpfully consolidating and clarifying the personal data protection framework in Indonesia. Whilst there is a two-year transition period, businesses with Indonesian operations or which process the personal data of Indonesian citizens should now make compliance a priority. The law is primarily consent-based.
Key highlights proposed in the draft PDPL –
- Extra-territorial effect. The PDPL applies to all personal data processing activities of individuals, corporations, public bodies and international bodies:
- within Indonesia; or
- outside of Indonesia, which: (i) has legal consequences in Indonesia, or (ii) affects Indonesian citizens located outside of Indonesia.
- Data Subject Rights. Under the PDPL these include the: (i) right to obtain details of data processing; (ii) right to correct or supplement personal data; (iii) right to access and obtain a copy of personal data; (iv) right to request deletion of personal data; (v) right to withdraw consent; (vi) right to refuse automated decision-making; (vii) right to restrict data processing; (viii) right to bring civil action for violation of the PDPL, and (ix) right to data portability. For some specific rights, businesses only have 72 hours to respond.
- Data Protection Impact Assessment. These are required where data processing involves a high potential risk to the data subject.
- Data Protection Officer (DPO). For certain data processing activities, data controllers and processors must appoint a DPO.
- Overseas Data Transfers. Data controllers transferring personal data outside of Indonesia must ensure that the recipient country has a level of data protection at least equal to that required under the PDPL. Otherwise, data controllers must ensure there is adequate data protection. If neither can be achieved, the data controller must obtain consent from the data subject for the overseas data transfer. It is anticipated that data localization measures in certain industry sectors will remain, at least in the short term.
- Sanctions. These include written warnings, temporary suspension of personal data activities and deletion or destruction of personal data. Most notably, the PDPL introduces fines of up to 2% of the annual revenue of the data controller. In addition to these administrative sanctions, criminal sanctions include a prison sentence of up to six years and fines of up to Rp 6 billion (approximately USD 385,000) for the most serious offences.
The changes to all these SE Asia Data Protection Laws represent a significant shift towards stricter data protection regulations, impacting all businesses handling personal data. Companies must now reassess their data protection practices, appoint dedicated officers, ensure compliance with cross-border data transfer rules, and prepare for potential breaches to avoid severe penalties.