Navigating Privacy: A Comparative Analysis of Privacy Laws in the ASEAN Region (Part III)

Summary of the series so far:

In our first blog, we explored an overview of privacy laws in Singapore, Malaysia, and Thailand, setting the foundation for understanding the regulatory landscape in the ASEAN region.

On our second blog, we have discussed about the definitions and categories of personal data and data controllers under the Personal Data Protection Acts in Singapore, Malaysia, and Thailand

Summary of the series so far:

Singapore’s Personal Data Protection Act (PDPA) provides a comprehensive framework for safeguarding personal data, balancing privacy rights with data processing needs. It emphasizes consent, accountability, and data retention. The Act applies to organizations handling personal data in Singapore, excluding individuals acting in personal capacities or employees within their employment scope and generally to business contact information.

Malaysia’s Personal Data Protection Act (PDPA) governs personal data processing in Malaysia, focusing on notice, security, retention, and integrity. It applies to commercial transactions involving personal data, excluding NGOs and archival purposes. It covers individuals and entities in Malaysia, including foreign data processors using Malaysian equipment.

Thailand’s Personal Data Protection Act (PDPA) regulates the collection, use, and disclosure of personal data within Thailand or for Thai citizens, covering both physical and digital records. It applies to businesses, including those outside Thailand, offering goods/services to Thai residents. Exemptions include personal use, media activities, and credit bureaus.

In this instalment, we will detail the definitions and the categories of personal data and data controllers across the Personal Data Protection Act’s in Singapore, Malaysia, and Thailand.

Definition & Categorization of Personal Data

Singapore

The PDPA – Singapore defines ‘personal data’ as information pertaining to an individual, capable of identifying them directly from that information alone or when combined with other accessible data. The term “personal data” is construed broadly, encompassing various data types regardless of their veracity, accuracy, or format, whether electronic or otherwise.

Notably, Singaporean courts have clarified that content of email messages is not considered ‘personal data’ unless supplemented by additional details about an individual, such as their employment or medical history.[1] Similarly, private communications like WhatsApp messages and chats are exempt from this classification and not considered as personal data[2]. Conversely, customer databases, including compiled extracts, and communications aimed at identifying or blacklisting specific individuals do fall under the purview of personal data[3]. Moreover, information concerning one individual may inadvertently disclose details about another, rendering it personal data for both individuals.[4] However, the PDPA – Singapore does preclude certain categories of data from its application, such as data existing for over 100 years or the business contact information of an individual as mentioned in Part II of this series.

Malaysia

The Malaysia PDPA regulates two categories of data:

(a) personal data and

(b) sensitive personal data.

“Personal data” includes information processed by automated means or recorded in filing systems, which relates to an identified or identifiable individual, incorporating sensitive personal data and opinions about the data subject, but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency.

Conversely, “sensitive personal data” relating to a data subject’s health, political views, religious beliefs, criminal record, or alleged commission of any offence is subject to stricter regulation. 

The Act also imposes additional obligations for data controllers with respect to sensitive personal data. Notably, the processing of sensitive personal data mandates explicit consent from the data subject unless an exemption applies. In contrast, for personal data excluding sensitive categories, explicit consent is not compulsory as long as consent obtained from the data subject can be documented and appropriately maintained by the data user.

Thailand

“Personal Data”[5] has been defined under PDPA- Thailand to include any information relating to a Person, which enables the identification of such Person, whether directly or indirectly. Additional obligation to obtain explicit consent of data subject is mandated prior to collecting Personal Data specific to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data or biometric data[6].

Personal data can be categorised into general personal data and sensitive personal data, for which different requirements and exemptions apply (e.g. exception of household activity).

With regards to territorial extent of the law, the PDPA applies to collection, use, and/or disclosure of personal data by a personal data controller or a personal data processor within Thailand, irrespective of whether such actions occur within the Thailand’s borders.

Additionally, this law has extra-territorial applicability over entities beyond Thailand borders engaged in collecting, using, and/or disclosing personal data belonging to individuals / data subjects who are in Thailand under two circumstances:

• when the activities are linked to the offering of goods or services to individuals in Thailand, irrespective of whether the payment is made by the data subject/ individual; or

• where the activities are associated with monitoring of the data subject’s behaviour in Thailand[7]

Classification of Data Controllers and Data Processors

Singapore

The PDPA – Singapore differentiates between two categories of companies: organisations (commonly referred to as ‘controllers’ in other jurisdictions) and data intermediaries (often known as ‘processors’ elsewhere). Organizations must comply with all eleven obligations outlined in the PDPA. In contrast, data intermediaries are only required to adhere to the Protection and Retention Limitation obligations. Additionally, under the Data Breach Notification obligation, data intermediaries must promptly inform the organization they are processing personal data for in the event of a data breach[8].

Malaysia

The PDPA – Malaysia specifies a list of Data Controllers, requiring them to obtain registration, formulate codes of practice, and more. This class of Data Controllers include industries such as communications, banking and financial institutions, insurance, health, tourism and hospitalities, transportation (aviation), education, direct selling, professional services, etc. The PDPA – Malaysia now imposes a direct obligation on data processors to comply with its data protection standards, including the responsibility to maintain accurate records and ensure the safeguarding of data against loss, misuse, or unauthorized access.

Thailand

Under the PDPA – Thailand data controller holds substantial responsibilities and liabilities, whereas the data processor’s obligations and liabilities are comparatively minimal. However, if the data processor fails to process personal data in accordance with the instructions of the data it will be regarded as a data controller and held liable accordingly[9]. The data processor is required to handle personal data following the instructions of the data controller, whereas the data controller must establish a lawful basis for processing the personal data.

Next in the series

In the next instalment, we will be discussing the mandate of notice and consent under the Personal Data Protection Act’s in Singapore, Malaysia and Thailand.

Links:

Singapore: https://sso.agc.gov.sg/Act/PDPA2012?WholeDoc=1#top

Thailand: https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf

Malaysia: JW515839 Act 709.indd (kkd.gov.my)

^{[1] https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/advisory-guidelines-on-key-concepts-in-the-pdpa-17-may-2022.pdf}

[2] ^Ibid

[3] ^Ibid

[4] ^Ibid

[5] ^{“Personal Data” means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular (Section 6 of the PDPA – Thailand)}

[6] ^{Section 26 of the Thailand PDPA}

[7] ^{Section 5 of the Thailand PDPA}

[8] ^{https://www.pdpc.gov.sg/the-distinction-between-organisations-and-data-intermediaries-and-why-it-matters?utm_source=chatgpt.com}

[9] ^{Section 40 of PDPA – Thailand}

Written by: Vidya Mukherjee, Abhishek Roy

Co-authored by: Swapna Umakanth

Disclaimer

The information provided on this blog is for general informational purposes only and is not a substitute for professional legal advice. We are not a law firm and are not authorized to practice law in your jurisdiction. Laws and regulations are complex and constantly changing, and information that may be true in one jurisdiction may not apply in another. Before acting on any information you read here, you should consult with a qualified lawyer practicing in the relevant jurisdiction for your specific legal issues or concerns. While we strive to provide accurate and up-to-date information, we make no guarantees that the information on this blog is completely current or error-free. We disclaim any liability for any actions taken or not taken based on the information on this blog.