Navigating Privacy: A Comparative Analysis of Privacy Laws in the ASEAN Region (Part II)

January 8, 2025
Analysis
6 min read
A Comparative Analysis of Privacy Laws in the ASEAN Region

Summary of the series so far:

In our previous blog, we explored an overview of privacy laws in Singapore, Malaysia, and Thailand, setting the foundation for understanding the regulatory landscape in the ASEAN region.

Singapore’s Personal Data Protection Act (PDPA) establishes a comprehensive framework for personal data protection, balancing individuals’ privacy rights with organizations’ needs for data processing. It includes principles like consent, accountability, and retention.

Malaysia’s Personal Data Protection Act (PDPA) regulates personal data processing, emphasizing principles such as notice, security, retention, and data integrity, requiring organizations to ensure data protection and accuracy.

Thailand’s Personal Data Protection Act (PDPA), inspired by the EU’s GDPR, governs how businesses manage citizens’ personal data, covering both digital and physical records, and applies to all businesses handling personal data within Thailand or serving Thai citizens.

For the purposes of this instalment, we will provide the applicability of the Personal Data Protection Act’s in Singapore, Malaysia, and Thailand.

For the sake of clarity in this blog series, the term “data controller” pertains to any entity who has the authority and responsibility to decide how personal data is collected, used, or disclosed., while the individual whose data is subject to processing is referred to as the “data subject,” and an entity engaged in processing data on behalf of the controller is identified as the “data processor.”

Applicability of the Laws

Singapore

Singapore’s data protection framework orbits around the PDPA – Singapore, dictating the collection, use and disclosure of personal data by entities concerning Singaporean residents. 

The PDPA – Singapore is applicable to organizations conducting operations involving personal data within Singapore[1].

It encompasses virtually all enterprises handling the personal data in electronic and non-electronic formats of Singapore residents. However, exemptions exist, particularly for personal data contained in records existing for over a century or personal data concerning deceased individuals who have been deceased for more than a decade. Additionally, the PDPA – Singapore does not extend to individuals acting in personal or domestic capacities, or employees acting within the scope of their employment. The PDPA also generally does not apply to business contact information[2] unless it was solely provided for personal purposes.

Where personal data is collected overseas and subsequently transferred into Singapore, the Data Protection Provisions will apply in respect of the activities involving the personal data in Singapore[3].

In the event personal data originating from outside Singapore is collected by an organisation in Singapore for use or disclosure for its own purposes in Singapore (that is, not as a data intermediary of another organisation), the organisation is required to comply with all Data Protection Provisions from the moment it seeks to collect the personal data (if such collection occurs in Singapore) or from the time it brings the personal data into Singapore or starting when the personal data is brought into Singapore[4].

Malaysia

The PDPA – Malaysia applies to individuals engaged in processing personal data within the context of commercial transactions. Notably, the law confines its scope to data processed for commercial transactions exclusively. The term “commercial transaction” encompasses various activities such as the supply or exchange of goods or services, agency, investments, financing, banking, and insurance. However, it excludes credit reporting businesses regulated under the Credit Reporting Agencies Act 2010. Further, data collected by non-governmental organizations (NGOs) or processed for archival purposes, among others, falls beyond the jurisdiction of this law.

It applies to individuals in Malaysia, including those physically residing in Malaysia for at least 180 days in a calendar year, companies incorporated under the Companies Act 1965, partnerships, and unincorporated associations formed under Malaysian laws. Additionally, it covers individuals or entities maintaining an office, branch, agency, or regular practice in Malaysia. It also extends to data processors outside of Malaysia, who utilize equipment in Malaysia to process data for all purposes excluding transit-related activities. The term “regular practice” is pivotal in this legislation as it encompasses and regulates entities without an online presence in Malaysia.

Further, the PDPA in Malaysia applies to data processing, including collection, storage, organization, alteration, disclosure, and destruction of personal data, aligning with other ASEAN countries. The Act shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia. The Act shall not apply to personal data processed outside of Malaysia, unless the data is intended for further processing within Malaysia.

Thailand

The PDPA – Thailand governs the collection, use, or disclosure of Personal Data in Thailand by Data Controllers and Data Processors. It also applies to Data Controllers and Data Processors located outside of Thailand if they process data in connection with offering goods or services to Data Subjects who are in the Kingdom of Thailand, irrespective of whether any payment is made by the data subject, or for monitoring of the data subject’s behaviour, where the ‘behaviour’ takes place in the Kingdom of Thailand.

PDPA – Thailand does not apply to collection, use, or disclosure of Personal Data by a Person who collects such Personal Data for personal benefit or household activity of such Person only. Further, it does not apply to juristic person who uses or discloses Personal Data that is collected only for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for public interest or operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.

Next in the series

In the next instalment, we will be discussing the definitions and the categories of personal data and data controllers under the Personal Data Protection Acts in Singapore, Malaysia, and Thailand.

Links

Singapore: https://sso.agc.gov.sg/Act/PDPA2012?WholeDoc=1#top

Thailand: https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf

Malaysia: JW515839 Act 709.indd (kkd.gov.my)

[1] https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/advisory-guidelines-on-key-concepts-in-the-pdpa-17-may-2022.pdf

[2] https://sso.agc.gov.sg/Act/PDPA2012#pr2-

“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

[3] https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/applicability-to-inbound-data-transfers—ch-11-(270717).pdf?la=en

“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

[4]Ibid

Written by: Vidya Mukherjee

Co-authored by: Abhishek Roy

Disclaimer

The information provided on this blog is for general informational purposes only and is not a substitute for professional legal advice. We are not a law firm and are not authorized to practice law in your jurisdiction. Laws and regulations are complex and constantly changing, and information that may be true in one jurisdiction may not apply in another. Before acting on any information you read here, you should consult with a qualified lawyer practicing in the relevant jurisdiction for your specific legal issues or concerns. While we strive to provide accurate and up-to-date information, we make no guarantees that the information on this blog is completely current or error-free. We disclaim any liability for any actions taken or not taken based on the information on this blog.

https://www.lexplosion.in/singapore

Leave a Reply

Your email address will not be published. Required fields are marked *

Let's shape the future, together

Partner with Lexplosion and harness the power of innovation, expertise, and global reach. Let’s embark on a journey of growth and unparalleled success.

Get in Touch
Find Out How Lexplosion Can Help You
Contact Us
Company

Lexplosion Solutions Pte. Ltd.

2 Venture Drive, Level # 24-01, Vision Exchange, Singapore 608526

Komrisk Suite
Customer Services
Get In Touch

General Queries:
Grievances: Shantanu Das
shantanu.das@lexplosion.in

Subscribe to Our Newsletter

    © Copyright 2024 Lexplosion Solutions Private Limited. All Rights Reserved. Powered By Dreamz Interactive.