Navigating Privacy: A Comparative Analysis of Privacy Laws in the ASEAN Region
The concept of managing everything online is undeniably appealing! Yet, this ‘world-at-our-fingertips’ ethos exacts a toll, with the dual-edged sword of unfettered internet commercialization and data aggregation. Even a seemingly mundane act of hailing a taxi now entails interacting with a mobile application which collects and deploys a plethora of data points, from one’s financial information, precise co-ordinates, along with a detailed log of previous journeys! This reflects a trend wherein our every interaction with technology becomes a part of a repository of intimate details, ushering in an era of relentless individual profiling and heightened digital surveillance, gradually eroding personal autonomy.
In the contemporary digital milieu, Europe has been at the cutting edge of personal data protection, owing to implementation of the European Union’s groundbreaking General Data Protection Regulation (GDPR), a monumental milestone in bolstering individuals’ privacy rights. However, this rising tide has not been confined to Europe. In the wake of GDPR implementation, several governments in the world, India included, have sought to emulate the high standards set by the European Union.
The urgency to bolster data privacy resonates universally, prompting nations worldwide to enact regulations commensurate with the rapid evolution of information technology. Within the ASEAN enclave comprising ten distinct nations[1], the landscape of privacy laws showcases notable diversity, thereby potentially presenting formidable hurdles for businesses operating across borders in terms of compliance requirements. Grasping the subtleties of the disparities is pertinent for organizations engaging in businesses in the ASEAN region, endowing them with the acumen to navigate compliance systems and pre-emptively address potential risks associated with personal data.
This blog series will examine the governance of data security across three key ASEAN jurisdictions—Singapore, Malaysia, and Thailand. We will explore how each country regulates personal data within its unique legal framework, focusing on key areas of data protection. The series will break down these concepts into clear, digestible segments, covering:
- Overview of Privacy Laws in ASEAN Countries
- Applicability of the Laws
- Definition & Categorization of Personal Data and Data Controllers
- Notice & Consent
- Data Transfer and Localization
- Data Breach Management
In this first instalment, we will provide an overview of the privacy laws in Singapore, Malaysia, and Thailand, setting the stage for a deeper dive into each country’s approach to data protection in the following parts of the series.
Overview of Privacy Laws
Singapore
Singapore’s Personal Data Protection Act[2] (“PDPA – Singapore”) stands as the cornerstone legislation crafting a comprehensive legal regulatory framework governing collection, use, and disclosure of personal data in both electronic and tangible physical records by organisations in Singapore. This framework takes cognizance of both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for legitimate ends. Compliance within this framework encompasses a spectrum of imperatives, including but not limited to consent, accountability, purpose limitation, access and correction, transfer limitation, retention and proper disposal of personal data, thus ensuring a harmonious synergy between individual rights and organizational responsibilities.
Malaysia
The Personal Data Protection Act[3] of Malaysia (“PDPA – Malaysia”) is geared towards regulating the processing of personal data and mandates organizations to implement data protection measures. Its purview extends over the spectrum of personal data operations, encompassing the collection, recording and storage thereof, or carrying out of set of operations on personal data.
Within its ambit, compliance obligations are governed under the following principles:
General principle: which sets out parameters for the processing of personal data;
Notice and Choice principle: mandates users of data to inform a data subject of various matters relating to the information of the data subject, which is being processed by, or on behalf of the data user;
Disclosure principle: which prohibits data users from divulging the personal data of a data subject for purposes other than the purpose disclosed, and directly related purpose; and to any party other than the cohort of third parties made known to the data subject;
Security principle: mandates data users to formulate a security policy and adopt measures to protect personal data from loss, misuse, unauthorized or accidental access, disclosure, alteration or destruction during processing;
Retention Principle: stipulates that personal data must not be retained beyond its requisite period of utility in alignment with the purpose for which it was originally processed. This entails the obligation for data users to ensure that personal data is promptly expunged when no longer required for the purpose for which it was processed;
Data integrity principle: which mandates that data user undertake reasonable measures to ensure accuracy, completeness, and non-misleading nature of personal data processed, and that it is kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
It covers processing in relation to personal data which includes collecting, recording, holding, or storing of personal data, or carrying out of any operation or set of operations on personal data, including: organization, adaptation, or alteration of personal data, or use of personal data; disclosure of personal data by transmission, transfer, dissemination, or otherwise making available; or alignment, combination, correction, erasure, or destruction of personal data. However, data processed only for the purposes of that individual’s personal, family, or household affairs, including recreational purposes, are exempted.
Thailand
The Personal Data Protection Act[4] (“PDPA – Thailand”) is Thailand’s first consolidated legislation in this domain which regulates how businesses in Thailand ought to handle the personal data of the country’s citizens and their right to privacy. Modelled after the General Data Protection Regulation (GDPR), PDPA – Thailand presents an extensive framework aimed at regulating the treatment of personal data by businesses in Thailand. Encompassing a broad spectrum of personal data, whether stored digitally or in traditional paper-based formats, its provisions extend a wide net of protection. All businesses operating in Thailand or catering to its populace, irrespective of whether data processing is conducted in-house or outsourced to third-party entities.
Next in the series
While each ASEAN member state has its own privacy and data protection laws, certain core concepts exhibit a semblance of uniformity, albeit with nuanced disparities in compliance mandates across borders/ jurisdictions. The following parts of the series explore these concepts and their implementation in each country. In the next part of the series, we will be discussing the applicability of the Personal Data Protection Acts in Singapore, Malaysia, and Thailand.
Links:
Singapore: https://sso.agc.gov.sg/Act/PDPA2012?WholeDoc=1#top
Thailand: https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf
Malaysia: JW515839 Act 709.indd (kkd.gov.my)
[1] https://asean.org/
The list of countries includes Singapore, Indonesia, Malaysia, Thailand, Myanmar, Philippines, Vietnam, Cambodia, Brunei, Lao PDR
[2] https://sso.agc.gov.sg/Act/PDPA2012
[3] https://www.kkd.gov.my/pdf/Personal%20Data%20Protection%20Act%202010.pdf
[4] https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf
Written by: Vidya Mukherjee
Co-authored by: Abhishek Roy
Disclaimer
The information provided on this blog is for general informational purposes only and is not a substitute for professional legal advice. We are not a law firm and are not authorized to practice law in your jurisdiction. Laws and regulations are complex and constantly changing, and information that may be true in one jurisdiction may not apply in another. Before acting on any information you read here, you should consult with a qualified lawyer practicing in the relevant jurisdiction for your specific legal issues or concerns. While we strive to provide accurate and up-to-date information, we make no guarantees that the information on this blog is completely current or error-free. We disclaim any liability for any actions taken or not taken based on the information on this blog.