Data Protection and Cybersecurity Laws In The Asia-Pacific Region

The number of people using the internet is increasingly growing, with more than one million users accessing the internet for the first time each day. Cybersecurity Ventures predicts there will be 6 billion Internet users by 2022 (75 per cent of the projected world population of 8 billion), the usage rate will increase up to %90 of the world population by 2030. Aside from commerce sales, most internet users are accessing it to socialize and interact with other peers online, for instance, there are 3.80 billion social network users in January 2020, this number has been increasing by about 9 per cent since the last year. The advance of the internet and related communications technology allows easy access to information from anywhere on earth, for example, an online merchant operating in Thailand can offer its services to customers living in the EU and the USA. To handle the spread of personal, financial, medical and other types of personal information across the globe via the internet, the appropriate legal regulations should be settled to protect citizen’s private data and organizations' digital assets when working online.

Following the implementation of the General Data Protection Regulation (GDPR) in the European Union (come into force on May 25, 2018), which regulates data protection and privacy in EU countries in addition to the transfer of personal data outside the EU and EEA areas, more countries in the world begin to review and strength their data protection and cybersecurity laws to cope with the new regulation. While the GDPR is an EU regulation, enterprises operating outside EU countries should be aware of its implications to avoid violating any of its terms when dealing or processing personal data of EU citizens. In this article, I will make a short review of the cybersecurity and Personal Data Protection Acts implemented in major countries in the Asia-Pacific region. Keep in mind that laws concerning cybersecurity and internet privacy are updated regularly because of the ever-changing nature of technology in addition to the development of relevant laws in other jurisdictions and trading partners.

Classifications of Personal information with relation to an individual's public or private life.
We can differentiate between two types of individual’s personal information:

Personally identifiable information (PII) or sensitive personal information (SPI): This includes any piece of information -which can on its own or in combination with other info- uniquely or semi-uniquely identifies a specific individual. Examples include Full name, birth date, user-name on social media platforms, resume and work history, government-issued identification (passport, driving license and social insurance number), email address, telephone number, mail address, property information, communication records and contents, personal picture, biometric data, credit card number, bank account number and any factor that can uniquely make a person identifiable. Anonymous information: This type of info is not strictly related to an individual, hence, we cannot use it solely to distinguish someone online -or offline. An example of such information includes Race, national origin, languages spoken, gender identity, blood type, physical traits (height, weight, age, hair color, skin tone, tattoos), income brackets, geographic location (country, GPS coordinates) and online browsing activities such as browsing behavior, links clicked, browsing history.

There was a kind of debate whether to consider an internet user IP address constitutes PII or not. To answer this question, I will return to a court decision issued by The European Court of Justice (ECJ) which considers internet users' IP addresses are Personally Identifiable Information (PII). So, to stay in the safe zone, it is better to consider an IP address a type of PII information, although, this rule is not implemented in all jurisdictions around the globe.

Another thing that we should be aware of as it is generally mentioned in most data protection laws around the world is the concepts of the Data Controller and Data Processor.

Data Controller is the legal entity (individual, public authority, agency, private company) which determine on its own or with a partnership with other entities the purpose of collecting and processing of consumer personal data (consumer is also known as “Data Subject” in most Data Protection laws). The Controller is the entity that directs the activities of the Data Processor.

Data Processor is the legal entity (individual, public authority, agency, private company) that processes, stores or transmits personal data on behalf of the Data Controller. Data processor can only use collected data as instructed by the Data Controller, Processor is commonly required to keep an audit of all processing activities. I will give an example to clarify the concept: Most websites use third-party services to serve advertisements and to collect statistical information about their users, for instance when you visit a website (e.g. CNN website) that use Google Analytics service to analysis visitor’s behaviors, CNN website is considered the Data Controller while Google Analytics is the Data Processor. Another example is when a website uses a provider for email marketing campaigns, the original website visited by the user is the Data Controller while the email marketing provider used to send emails and track users engagement is the Processor.

Data protection laws impose different obligations on Data Controller and Data Processor, for example, under the GDPR law (see Figure 1), the Controller is the main party responsible for consent and governing access to consumer data and is responsible for the lawfulness, fairness, and transparency of information in addition to its responsibility about the confidentiality of personal data. The Controller should select a data processor that complies with the GDPR act.

Now that we know what is the difference between PII and other anonymous information related to individuals, and can differentiate between a Data Controller and Data Processor, we will begin talking about the main cybersecurity and data protection regulations in the main Asia-Pacific countries.


The Personal Data Protection Commission (PDPC) in Singapore is the authority responsible for administering and enforcing the Personal Data Protection Act (PDPA). The regulation was implemented in phases, the last one has come into force on 2 July 2014.

The PDPA is a general umbrella that holds many government laws concerning the collection and use of individual personal data (stored in digital or non-digital forms). PDPA gives the right to individuals to protect their data and govern how businesses can use personal data collected from consumers for legitimate purposes. To comply with the PDPA Act, there are different requirements that each company needs to comply with -according to the industry it belongs to- when collecting and processing personal data.


Directly after enforcing the implementation of GDPR law in the EU, Japan, and the European Union agreed to recognize each other’s data protection laws as providing sufficient protection for an individual’s personal information. This allows enterprises working in both the EU and Japan to exchange personal information freely without any legal barrier. The framework for mutual and easy transfer of personal data between Japan and the European Union has come into force, on 23 January 2019.

The Personal Information Protection Commission (PPC) ( is an independent official authority responsible for protecting the rights and interests of individuals in the privacy and supervise the use and retain of consumer personal data by businesses. PPC is also responsible for international cooperation between Japan and other jurisdictions in the area of data protection laws.


In January 2019, Vietnam cybersecurity law came into force, this law imposes many restrictions on domestic and foreign companies working or want to work in the Vietnam market. For instance, all companies offering internet and telecommunications services or any other service related to internet or telecommunication technology (such as cloud storage providers, social networking sites like Facebook and Twitter, Instant Messaging services like WhatsApp, online payment systems, online merchants, domain name and hosting providers, online gaming, email providers) that operate in Vietnam cyberspace and process/retain information about Vitamin users, must have a physical local branch or a representative in Vietnam. The law also requires such companies to store the processed data of the Vietnam users for a period specified by the Vietnamese government. The data localization element of the law is considered the toughest part in the regulation, as it requires storing processed data in certain geographical locations within the country or handling this info to authorities, as a result, virtual companies (operate completely online) cannot offer its services in the Vietnam market.

It is not clear whether the Vietnamese government has the required resources, expertise and tools to enforce such strict regulation, however, we can expect to see more countries in the region move to apply similar rules to the Vietnamese government, which is somehow similar to the Chinese cybersecurity regulations that impose tight control over the internet and on all companies operating in the Chinas cyberspace.


In China, there are many regulations -issued by different government bodies or ministries- related to cybersecurity and internet control laws, however, in this article, I will focus on the regulations related to the protection of user personal information. The China Personal Information Security Specification which went into force in 2017, is the Chinese version of the EU GDPR and the first specifications issued to protect Chinese citizen’s personal data. Published by the Standardization Administration of China, this specification addresses the collection, transfer, and disclosure of Chines citizen personal information, it also defines the terms under which businesses can collect/share personal information about users, how to store and process this info in addition to required procedures to handle security incidents.

An update -or a draft measures- of this specification was issued in June 2019 that mainly addresses the transfer of important personal information across the borders. The draft measures imposed the following terms on companies operating in the Chinese cyberspace and handle Chinese personal information:

Require network operators in China to conduct a security assessment of their systems that reveal the risks associated with the transfer of personal information outside the borders, and handle these assessments to the local cyberspace administration authority. This requirement raises concerns between foreign companies operating in China, as to meet this regulation, companies may be required to reveal sensitive information and/or critical business secrets such as source code of their programs/applications, critical information about their systems (e.g. encryption mechanism) to the authorities.

Important data breaches should be reported properly to the authority without any delay. It also requires companies processing Chinese citizen’s information to have an incident response plan, conduct regular cybersecurity training of its employees, and if an incident took place, companies should cooperate with the authorities to investigate the incident and collect related digital evidence.

Important personal data should be stored locally within China unless the business has passed the required security assessments imposed by official authorities among other terms. For data affecting national security and/or have a negative effect on public interest, it cannot transfer outside borders under any condition. For companies offering online services (e.g. WhatsApp) or other value-added services in the Chinese market, they must store their data locally on Chinese servers, otherwise, they are not allowed to conduct business in the Chinese market. All companies operating in China or want to access the Chinese market should be familiar with the updated draft measures of the China Personal Information Security Specification when a company cannot adhere to the draft measures requirements (especially the security assessment part), data localization becomes mandatory to remain operational in this market.


The Thai government released the Personal Data Protection Act (PDPA) on May 27, 2019, the law is going to take effect on May 27, 2020. The Thai PDPA has extended the scope of its geographical application to include any company outside Thailand that process or store personal data of the Thai citizens as a part of the services/products offered, regardless of whether there is a payment or not. After reading the law, I conclude that the Thai government has adopted a similar approach to GDPR when defining the obligations of companies concerning collecting and safeguarding personal data of individuals. The following are the main key points of the Thai PDPA:

There should be a legal basis for collecting the data from the consumer, in some instances, the legal basis can be a clear consent (see Figure 2) from the consumer itself made in a written statement or via other electronic means. The consumer also should have the right to revoke access or update his/her data at any time and has the right to know the purpose of collecting or disclosure of his/her Personal Data. Organizations should not collect personal data that they do not need it to offer the specified product/service for the consumer. The act imposes a notification requirement regarding any data breach that must execute within 72 hours after the organization becomes aware of it, the affected consumer should also notify if the breach constitutes a high risk on his/her data. For some type of businesses, the law requires them to have a local representative in Thailand. Data Controller cannot send consumer personal data outside the Thailand border without proper consent from the data owner unless the destination country has proper privacy and data protection laws or this transfer is permitted by law. Breaching the PDPA law may result in serious, civil, criminal and administrative penalties that reach up to THB5m (more than USD 153000.0). The law allows the Data Controller who collects personal data of Thai consumers before enforcing this act (before 27 May 2020) to continue using it under the following two conditions:

Give consumers a withdraw method to stop using their data, and If the consumer grants permission to the Data Controller to continue using his/her data, data should be used for the original purpose it was collected for and not for anything else. Although the Thai PDPA is modeled on the EU GDPR, however, there are some key differences between both laws that make GDPR strongest in terms of enforcing strong protection of individual data. For example, PDPA does not explicitly set rules to control the automatic processing of personal data which is used to create a profile for internet users. PDAP also does not strictly detail the obligations of the Data Controller and the Data Processor similar to GDPR.


Entities doing business or looking to invest in the Asia-Pacific region market should be aware of the different data protection and cybersecurity laws are enforced by different countries in the region. Organizations should also update their legal consents -when collecting personal information from consumers- and develop privacy policies to reflect the requirements imposed by these laws. In some countries, data localization is required when your work involves collecting and retaining sensitive personal information about local consumers, please refer to further reading below for a more comprehensive review of the data protection and cyber security law associated with each countries.